I am sure I am missing something, but for the life of me I can't find it...
I setup the two subnets, created the vMX, added a VM with a separate subnet. From the Azure VM I can ping the vMX. From the vMX I can ping the Site to Site VPNs. From my site I can ping the Gateway for the Azure VM subnet.
What I can't do is ping the Azure VM from either the vMX or my local site. Nor can I ping the local site from the Azure VM.
Both the vMX and VM subnets are in the same vnet. The Azure VM is in the same resource group as the vnet though I have tried creating a new resource group with VM and it had the same outcome.
Any thoughts appreciated.