@Octavian Mocanu , thank you for the question.
Note note that the GuestAndHybridManagement tag is used for Update Management and Change tracking using Azure Automation, and not for runbook worker or runbook execution.
Also, as mentioned in the article here - Runbook execution environment
Enabling the Azure Firewall on Azure Storage, Azure Key Vault, or Azure SQL blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation isn't a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint. .
Based on these details, you may use Hybrid Runbook Worker (where the runbooks would execute, instead of Azure Automation Sandbox) so that you have a limited set of IP addresses which needs to be added to allow list on Azure App Service.
Hope this helps.
If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.