API Management Deployment - Service Activation Failed

Question

Hi there

I've deployed Azure API Management instance inside a VNet (Internal mode). This APIM instance sits in a spoke VNet (Subscription) and the Hub subscription has all the shared services such as Firewall, Gateway, Active Directory DNS. Internet traffic is currently not forced tunneled to on-prem and exits directly through Azure Firewall. Have completed the following configurations before APIM deployment:

1. Created a custom Azure DNS Zone and a self-signed SSL Certificate with the required names.
2. Linked this zone to Hub as well as spoke VNets.
3. Created required DNS Records for the APIM resources (Gateway, portal etc.).
4. Created NSG rules to allow inbound and outbound traffic for APIM. This also includes enabling DNS traffic to Active Directory DNS in the Hub Subscription.
5. Created Azure Firewall rules to allow traffic to services (such as Azure AD) required by AIM
6. Created Route Table for the APIM Subnet to bypass the API Management traffic to go directly to Internet.
7. Enabled Service Endpoints for Storage, Key Vault, and Even Grid services on APIM subnet.
8. Created a Public IP Address resource for APIM Management Plane functions.

I've reviewed the following articles:

https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-internal-vnet?tabs=stv2

https://learn.microsoft.com/en-us/azure/api-management/virtual-network-reference?tabs=stv2

https://techcommunity.microsoft.com/t5/azure-paas-blog/api-management-networking-faqs-demystifying-series-ii/ba-p/1502056

Problem statement: The APIM deployment finished with following error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/