@Matt Darket Thank you for your interest in ASE V3. If you haven't already, please review the current limitations with ASE V3 as it's in public preview state to ensure these won't block your plans. (preview products are traditionally not recommended for production workloads)
You mention your scenario using the private endpoint for inbound traffic. Please note that this will change to a load balancer when ASE V3 becomes Globally Available (GA) so you will need to change that, which could lead to downtime. There is also a chance that you might have to move from a preview environment to a GA environment as it's not clear how they will swap to load balancers in GA without causing downtime for customers. Something to keep in mind.
From my understanding, if you want traffic that has come from the internet, you will need to use an App Gateway.
In regards to the firewall settings, ASE V3 has removed all the management traffic from flowing into your ASE via your VNET. This is good news as it allows you to configure your firewall as tightly as needed without breaking your ASE. So you will not need to follow the steps listed in the document you linked.
While in preview, the ASE won't have built in support for an internet accessible endpoint. You could add an Application Gateway for such a purpose. This should allow you to not need a Azure VM connected to the ASE VNET to perform deployments as was sometimes required with an ILB ASE V2.
We hope this helps to answer your questions. Please let us know if there are any more and we would be happy to answer them.