Hi Chris - thanks for the question
Today you have a choice to use either "premium" (which is now referred to as part of the "classic" tiers) which is fully part of the Virtual network
Or, you can opt for Standard V2 which allows outbound calls into a VNet/subnet - and therefore onto another connected network. The difference here from a networking point of view is that V2 is not part of your VNet rather you link it to your VNet/subnet so it can make outbound calls (e.g. to a backend which is otherwise private)
In both cases you'd require on-prem to Az and Az to on-premises DNS resolution and a network path from On premises to Azure and visa versa (over a Express Route link or VPN)
In both cases any NVA (firewall , reverse proxy etc) would need to allow the traffic to APIM can address your on premises backend.
More info see https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts
For the Authorization this is possible as explained here https://learn.microsoft.com/en-us/azure/api-management/authentication-authorization-overview
Note: Whilst Az PaaS supports modern Auth it doesn't support Windows Auth (Kerberos/NTLM).
Please have a read of the high level concepts here and add comments for further info