Thanks for the reply. After discussion w our Meraki SE, it was explained the one-armed vMX has the public IP as the 'outside' and the internal Azure NIC as the 'inside' interfaces - and rules can be applied much like any other firewall i.e. looking at the perspective of inbound & outbound. As we are replacing an incumbent Juniper firewall, which has ingress & egress policies we are replicating those. The customer is security conscious of their Azure environment and wants to control ingress to it, and control access out form it (presumably being used as an attack plane into the rest of their SD-WAN environment.)
My comment was really around the template missing the inbound section, whereas when you don't bind the network to a template you can specify inbound and outbound rules.