Thank you for reaching out.
I understand you wish to know more about how the traffic from your spoke Vnets in Azure is directed to on-prem via an Azure Firewall deployed in the Hub using express route connectivity to the on-prem.
Based on your question above
On the GatewaySubnet a Route Table which has entries for each of the spoke vnets with the next hop being the Private IP Address of our Azure Firewall. Propagate Network Routes is set to Yes (should it be set to Yes)?
Yes, Route propagation shouldn't be disabled on the GatewaySubnet. The gateway will not function with this setting disabled.
but how does the firewall know it needs to then send the traffic to the express route vpn gateway so that is can reach the on-prem server.
The on-prem routes are exchanged via BGP in Azure Express Route and then propagated via the route table associated with the GatewaySubnet.
The traffic paths are well explained here by Gita in this thread. You can also take a look at this implementation here to see how routing works in Azure.
Hope this helps! Please let me know if you have any additional questions. Thank you!