According to the docs you can use it internally and externally, but I've never used it. The connector is simply a relay to Azure RMS and is used for seamless protection between the on-premises and cloud environment. From a logical point of view, it should be all good when that connection is established.
If you're using the Microsoft Purview encryption feature built on Azure RMS (legacy Office Message Encryption) with Encrypt only and Do not forward, you'll only be able to use mail flow rules from on-premises.
Search the docs for more details around the setup and possibilities.