Routing in Azure with internal and external IPs

I have a VNet with some VMs in Azure. The VNet has a site-to-site VPN connection back to my premises. From on-prem clients, I can successfully connect to the private IP addresses of the VMs. However, on-prem clients cannot connect to the public IP address of a VM. On the other hand, if I try to connect to a VM from different internet connection (3g on phone, or from home), then I can connect to the public address without problems. There are no network ACLs on network equipment on-prem that could be blocking this traffic (in fact a traceroute to the public IP address cuts out at a ntwk.msn.net address). Any thoughts on what the issue might be?

UPDATE 2: I have spun up a new vnet on a seperate IP range, and a new VM with a public IP. Connecting to the public IP of this VM works fine. Something in the VPN/routing of the original VNET seems to be part of the problem, as without a VPN everything is fine.

UPDATE: I'm beginning to think this has to do with the NIC on the VM. Azure NICs have a private and public IP on the same NIC, but the VM doesn't see the public IP address. Now, the vNet that the NIC is on has certain routing rules that specify certain traffic should route to on-prem via our VPN. I'm thinking that a request from on-prem gets to the VM's public IP successfully via public internet, but the reply is sent from the private IP over the VPN, and the client discards it as it came from a different IP. Since the OS on the VM is unaware of the public IP address, I have no idea how to fix this.

UPDATE 3: I used Wireshark to sniff packets on the the VM, and found that when I connect to the external IP from on-prem, no packets are received by the VM. So the problem might lie in the VNet, the SNAT of the Public IP, or the routing on the VM itself.