For RDS deployment, we will suggest RD Gateway for external access.
You will need to register external FQDN for the RD Gateway and the RDWeb server and a puplic SSL certificate obtained from a trusted public authority such as GoDaddy, GeoTrust, Digicert, Symantec, GlobalSign, Thawte should be imported on the servers. The certificate should contain both the internal FQDN and the external FQDN of the servers. You also need to configure port forwarding for private IP address of RD Gateway (TCP 443 and UDP 3391).
Then the external users can use the public RDWeb URL to have access.
For more details, please refer to below threads:
For Azure application Proxy related question, we suggest that you could separate a thread to the Azure forum.
If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.