Is the new firewall you put in place performing some sort of TLS inspection for outbound traffic? My thought is, your previous firewall may have been allowing the outbound 443 traffic from your internal IIS server without any application-layer inspection.
Please check on your new firewall if you can add some sort of an exception rule for your internal IIS server's IP so that its outbound 443 connection to Azure Relay servers are not inspected/interfered with at all. If possible make this change and then test (restart and confirm link comes up). Exempt the IP from session timeouts or similar as well if possible.