It's over the internet to an Azure public IP (Firewall WAN interface).  I'm using a DNat rule on the Azure firewall to the NPS box.  The Firewall and NPS VNets are peered and all the routing is definitely working.

I can't use a VPN as there are already VPNs into Azure from the sites where the Meraki's are.  The VPNs pass over an Azure Load Balancer which historically has been the reason why we it hasn't worked before, potentially the same problem with the udp fragmentation,

Are you connecting over the internet or using a VPN?

I use it in both scenarios, although I prefer to have the S2S VPN for security reasons.

Have you checked your NPS logs?

Yes, I've checked the IAS logs and Event Logs and there are no more errors.  I can force an error if I turn off the Connection Policy and a log entry in Event log gets created saying there is not matching Connection policy.  If I reenable it, RADIUS times out when it should be Authenticating using the Network policy...  I'm a bit lost currently on the next step forward

What type of authentication are you using? 802.1x?

You must configure your network's public IP as Radius Client in NPS.

Yes, 802.1x, Machine certificates.  Because I have a DNat rule on the Firewall, the Radius client is configured to the inside IP range of the Firewall.  I can see info in the Event logs on the Radius that shows inbound connections from IPs in the internal firewall IP range.  Mmm, Interesting, Is there something in the Radius protocol that needs the actual Public ip address to work (as this is the Address configured in Meraki) ?

Have you looked into this article?

https://apicli.com/2021/12/13/meraki-mr-802-1x-with-azure-active-directory/

This solution relies on Microsoft Azure’s SLA (99.99%) due to the caveats above. In addition, the solution requires a secure connection so that the MR can reach Azure AD DS by its private IP addresses. Although Azure AD DS allows LDAPS over the internet, it only allows port 636 and not 389.