Hi since you are in an Hub and Spoke Topology the jumphost need to be on Hub (central operations ) and you can limit the incoming authorized requests either with network security groups either by using azure firewall or network virtual appliance of your choice . If the virtual machine is domain joined you can simply restrict administrative access and leverage app locker policies in Group Policy Objects . Since it's a Iaas workload the first thing to do is implement security best practice fundamentals https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas There a many builtin policies in Azure Security Center now Azure defender to prevent detect and respond to threats to your Vms. https://docs.microsoft.com/en-us/azure/virtual-machines/security-policy
Tips : Your Jumphost does'nt need to have Public IP , you can create a DNAT rule and leverage the public IP of your firewall .