Does azure networking implement address spoofing?

I have a non-azure, non-Windows, non-microsoft site-to-site tunnel set up between an Azure cloud environment and an on-premise LAN; at the azure end, the proprietary (non-microsoft) S2S host sits behind an Azure load balancer. The proprietary tunnel is route-based and as such, I'd like to route connections all the way from our on-premise network to various resources in Azure. e.g.

OnPrem Server -> OnPremFw -> (tunnel) -> CloudFW -> LB -> vNET1 -> vNET2 -> VMtarget

When packets hit the CloudFW, they are being "Hidden NAT'd", so the source IP address is translated from its On-premise IP address to an IP address recognised by Azure as directly associated with an Azure subnet range. In this case, things work as expected.

However, if I turn off the H-NAT, so that packets carry their original on-prem source IP address in to Azure, then no matter what security or routing rules I apply, nothing works.

Is it plausible that Azure is passively dropping these packets, or is silently screening them out, something like address spoofing?

I can't find any Azure documentation confirming this, but the behaviour I am seeing strongly implies this must be the case. Could anyone confirm?

I would like to know if essentially, it isn't possible to use "non-Azure" IP addresses in Azure routing and security configurations?