Actual impact to ActiveSync clients when enabling Hybrid Modern Authentication

Two years on and the documentation still doesn't indicate that enabling HMA does nothing to disable legacy authentication. I wonder if this is because Microsoft does not provide a mechanism for disabling legacy authentication in Exchange 2016 at all (you can in Exchange 2019).

We configured HMA (in conjunction with AAD-AP for OWA) with two goals in mind:
1. Take on-prem Exchange off of the public internet and make it only accessible to EXO's IP ranges.
2. Enforce MFA and conditional access across the board for on-prem mailboes.

Unfortunately, we've since discovered that HMA doesn't accomplish either of these goals, which makes the whole additional HMA security layer rather pointless.
1. With HMA, EXO redirects to on-prem EXCH (rather than proxying) so you still need to have on-prem EXCH reachable to the public internet.
2. There's no way to disable legacy auth (on EXCH2016) so an attacker can just disable support for HMA on their side, and they're right back to plain username and password based legacy authentication.

Really a disappointing security theater on Microsoft's part with these shortcomings in mind.