no objection 🙂  , I am looking for the Cisco recommended way of doing it.

Using a pair vMX's would mean 2 additional appliances i'd need to pay for/manage. Using an OnRamp type functionality (if it exists) might connect me via a VPN Gateway. i was interested to see if there was an OnRamp and how it would work.

Nope - vMX is what you need!

Depending on the public cloud platform you could use an IPsec tunnel. We can use the native IPsec capabilities of Azure and GCP, probably others I have not tested OCI for instance. AWS is the outlier, we can not do IPsec to the AWS native site to site infrastructure. In AWS you would need either a virtual router/firewall of your choice and use IPsec or use a vMX(preferred) to make the connection to Cisco+ Secure Connect. 

No question that @Gary_Geihsler1 's solution would work, but you did ask for 'the best way' and I suspect he'd agree with me that vMX (with simpler setup, failover & loadbalancing, policy and performance based routing etc) is much better than a non-Meraki VPN tunnel to ANOther IPSec terminator running in your cloud platform.

Yep , im looking for the best way!

If i have 2 x vMX deployed on Azure , i'd need to set up failover using Azure functions

https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX_in_Azure 

creating an ipsec tunnel between secure connect and an Azure VPN gateway looks like the less complicated option. On the Azure side , routes would point to the VPN gateway and i wouldnt have to mess around with functions.

Policy/performance based routing outbound from Azure isnt too important to me.

thanks for your input so far , this is all very useful!