Create a custom image using this .vhd file. This becomes our WVD image for this particular application.
Create a host pool based on this custom image. Share your application as needed.
When it comes time to patch, we do the following:
Create a new virtual machine using the application WVD image we created above.
Install whatever OS and/or application patches are necessary
Run sysprep, shutdown, copy the VHD to a storage account.
Create a new custom image based on this new .vhd file. Obviously give it a different name like "MyAppImage_Version20200309" or something.
Update the host pool using the new custom image.
And, er, confession. Currently the "update host pool" ARM template doesn't work with custom images. So we end up destroying the host pool and redeploying it, which requires a one-hour downtime. But that's not so bad for our needs.
So as you can see, we completely control what patches get installed, and how often they get installed.
Technically you could use SCCM to apply patches to your backend servers. You'd just have to be absolutely certain that every time a new backend server is spun up, the patching happens immediately before any users start using the application. So if you decide to scale up from three backend servers to four, you'll want to freeze people out of the fourth backend server until patching has completed.
We find it much more convenient to update the image itself and redeploy the entire host pool, as described above.
I hope this gives you the answers you're looking for.