Azure Secure Virtual Hub VNET-Branch Routing

Hey trying to get connectivity going from our VNET to Branch over the S2S VPN I've setup and from what I can tell when doing a tracert to an branch private ip address it seems to stop at the Azure Firewall IP Address and I've even created an any/any rule on the firewall policy but no go so far.

Is there something that I'm Missing? Here is my topology..

Secure Virtual Hub

1x VNET Spoke

1x VPN Site

Both associated to the default route table which has a route for 0.0.0.0/0 next hop firewall

Both Propagating to the None route table. 

I have created a DNAT rule to allow RDP which I'm assuming thats how I'm getting into the virtual machine via rdp but once I'm in I cannot route to anything back.