Modern Hybrid with no external access

Hi All. We have an on-prem Exchange 2016 infrastructure with no https connectivity from external. We setup the Hybrid agent in full 'modern' mode for this reason and it seems to work OK. We had to do some adjustments on the Inbound and Outbound connectors to route mail correctly and have successfully done test mailbox migrations to and from O365. We aren't scheduled to move any mailboxes to the cloud at present so everything is staying on-prem. 

We have also deployed Teams to a pilot group, however there is no Calendar integration and users cannot delegate a Teams meeting on behalf of another. I believe (after many hours reading various posts) that for these to work we need to publish our internal autodiscover and EWS records externally?

My question then is can this be worked around using the Hybrid agent somehow or is the above the only option, in which case the Modern Hybrid is not usable and we might as well use Classic Hybrid, assuming we can even get approval to publish these URL's externally.

Cheers Peter