Thank you for reaching out.
Based on your question above.
I am uncertain about which path outgoing (Internet traffic) traffic will take if traffic is originating from a back-end poll server (spoke). Is Azure firewall is required or Appgateway with WAF will take of outgoing traffic.
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
Now as only Azure Application gateway WAF is deployed in the Hub the outgoing traffic originating from the back-end pool server (spoke) to the internet will not go via App Gateway's public IP as it is only meant for Inbound traffic.
If there is a Public IP assigned to back-end pool server, the outgoing traffic to internet will use this IP address. If there is no public IP assigned to the back-end pool server (spoke) the outgoing traffic will go to the internet using default outbound IP address.
Deploying an Azure Firewall in this scenario is a good idea as you can use the Outbound TLS Inspection feature of the firewall to inspect the outbound traffic originating from backend server.
This scenario of deploying Azure Application gateway along with Azure Firewall is described in this guide here.
For parallel implementation this will be the traffic flow.
It will also help if you could go through this guidance for Hup and spoke topology for Azure Firewall and Application Gateway.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.