Not sure if you've already gotten your answer but I do have an App Proxy with passthrough authentication that is operational even if they are not assigned the app in Azure AD. My understanding is that:
- you would only need to assign the app in Azure AD if you choose your App Proxy Pre Authentication method to "Azure Active Directory"
- passthrough authentication bypasses Azure AD
I've also stumbled upon this really helpful video to understand how both app proxy authentications work: https://www.youtube.com/watch?v=BXHbYSRSpic