Microsoft
MicrosoftSBrickeyRCS, sorry for the delay in responding.
We advise that Azure Firewall consumers utilize a NAT Gateway on the subnet of the Azure Firewall to prevent SNAT exhaustion. In this scenario, all outbound traffic is still processed through the firewall and inspected as needed, the only difference is that the outbound traffic will utilize an IP from the NAT Gateway rather than an IP from the Azure Firewall. There is no way to circumvent the path since the NAT Gateway is applied to the AzureFirewallSubnet.
With this scenario, you still need a Public IP on the Azure Firewall. This IP can be used for DNAT rules but is also used for management plane control with Azure Resource Manager (ARM).
You are correct that NAT Gateway with Azure Firewall in VWAN Hubs is not supported. A way to work around this is to deploy an Azure Firewall on a spoke virtual network that is connected to the VHub and apply the NAT Gateway to the subnet of the firewall there. This Azure Firewall would be used primarily for outbound flows while E-W traffic is still processed through the Azure Firewall in the VHub.