From what you say, it seems to me that there is no need to stick to Limited NAT mode. It would be simple to configure vMX as One-Armed Concentrator [Passthrough or VPN Concentrator Mode] and advertise the subnet in Azure's vMX. The Local Networks setting can advertise specified subnets. Overlay (on the Auto VPN tunnel) access control can be configured with the "site-to-site outbound firewall", which also allows One-Way communication (Branch -> Azure) can be allowed.
... View more
