Hello @Yosef Shellim ,
Thanks for reaching out.
You must your backend application's service account to configure KCD (Kerberos Constrained Delegation) on app proxy connector agent however a comparable user identity must present in On-Premise Active Directory and sych to Azure AD that it attempts to authenticate.
Application Proxy assumes that users have the same identity in the cloud and on-premises. For example, if you try to access a published app externally using a cloud-only account that is not present in on-premises, Azure AD will authenticate the user and pass the user's UPN to the proxy connector agent to obtain a Kerberos ticket on behalf of the user, but connector will receive an AD response stating that the identity does not exist in local AD, which is expected behavior because your backend application will not be authorized without the respective user's Kerberos ticket.
To learn more more about, refer working with different on-premises and cloud identities. I hope this was helpful.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.