Got this solved.
- The on-prem AD user is a member of the protected users group.
NTLM authentication is disabled for such a user, and since the bastion service is going by IP connection only -- the authentication downgrades to NTLM.
Problem solved... use a user that can auth with NTLM. So yes - its possible, and you also have to support NTLM until such a time that bastion supports supplying the FQDN of the VM.