Access Snowflake on private endpoints through Azure firewall

Question

I was wondering if there is some experience of working with a Azure Firewall in order to access SF through its private endpoints.

In our situation we decided to make the account and internal staging in SF private through azure private links. These are located in a vnet. The onprem network can access these private endpoints. Now we want another cloud service to access SF. We don't want to open SF with a network policy but we want to give access through an Azure firewall. The FW has 2 public ip addresses and can perform NAT. Now the way i see it is that on the cloud service we use a ODBC SF driver. In it we specify the public ip of the firewall. The session is set up and the FW will transfer the traffic to the private ip of the private endpoint with NAT. So far i think everything goes well. However, when there is a large resultset, SF will place it on the storage. The client needs to get it from there. If however, SF is giving the privatelink name of the storage, then the client can never access it (its private). It would be solvable if you can somehow hardcode the public ip of the FW in the ODBC driver, but i don't know if this is possible.

Are my assumptions correct? Has someone else come in such a scenario and solved it? I am happy to hear how.

Kick