Wow, you asked such a straight-forward question. Too bad nobody gave a straight-forward answer. Hopefully you figured this out already, but I'm adding an answer for anybody who comes behind.
You are correct that if you use SSL offloading, traffic between Front Door and the back-end site will not be encrypted. You are also correct to suspect this is not PCI compliant. IF a bad actor manages to get into the "public side" Azure backbone, they will have direct access to information being transmitted. This backbone, while secure, is public by definition -- thus can not be "secure enough" for unencrypted PCI protected data. Further, Microsoft employees with sufficient admin privilege will be able to access the information. Not saying they would (and I'm sure they wouldn't), but a zero trust model dictates we consider them a threat. You have no audit trail available if a Microsoft employee does access the information even for legitimate purposes, such as back-end network troubleshooting. Again, a potential problem for PCI compliance.
Based on my understanding of PCI, if you use the SSL offload feature of Front Door, your site will not be PCI compliant.
From a security perspective, putting aside the compliance question, sensitive information should be encrypted end-to-end.