Thank you for reaching out to, I understand you are unable to connect to a REST API Web App from your on-prem devices. The VPN connection is successful, and you have set-up a private endpoint for your web app with private DNS Zones.
Based on the points above, I think you need to set-up Vnet integration for the web app for outbound connectivity as documented here Private endpoint is only used for incoming traffic to your app. Outgoing traffic won't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the virtual network integration feature.
Apart from this you can also check if there is any DNS resolution issue for the web app. A quick way to isolate this issue is to create a VM with the virtual network of the web app and try and resolve the API the web app should successfully resolve the uisng the private DNS zone. For on-prem devices I think you will have to implement an Azure private DNS resolver in your set-up. Azure DNS Private Resolver is a new service that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.
You can take a look at this guideline to help with DNS resolution. You can also take a look at this Architecture to understand how private DNS resolver works.
Additionally, you can also take a look at this tutorial which implements a similar scenario as yours using Azure private DNS resolver.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.