Remote Control in ConfigMgr does not work for Internet connected systems or with a CMG.
We have a work item to investigate added unattended control to Remote Help (no commitment or timeline though).
Not that this is truly pertinent to the question, but the CMG role itself does not in any way require anything on-prem AD wise however, the CMG is part of ConfigMgr and the COnfigMgr infrastructure servers must be members of an on-prem AD domain.
Thus, if you must truly control systems connected by the Internet where no user is present, today, you must rely on a third party solution.