Define Patch Approvals in WSUS but pull patches from Internet

shocko yes that's absolutely possible. Setup WSUS with TLS 1.2 on a mainstream supported Windows Server OS (currently WS 2022 only). 

consider ajtek WAM subscription and check docs there for setup of WSUS, lots of things to obeye, easiest with ajtek WAM blog rather WSUS docs. remember WSUS is old tech, unfortunately not deprecated as also being used by MEMCM.

you can setup WSUS / MEMCM as you are used to but just setup WSUS to NOT download any updates. Then it will only fetch metadata.

ajtek WAM still will help you even with MEMCM and fixes some issues like OS version display etc.

sidenote when your licensing allows Intune, checkout the improved reportings that became available some weeks ago. Third party patching is still a thing that require MEMCM and as such hybrid join.

but alternatives on the run. Like Intune (native) with WinGet, TUGI Packaging Tools + PSADTK, Company portal. and winget.pro for LOB apps not being part of winget public repo.
Delivery Optimization policy is a must-have also required for Teams 2.0.

please mark best response if this helped you! Good luck!