Private network with public IP range not working

Hi, I’m trying to route certain public IP ranges via my Cloudflare tunnel to allow access to Azure SQL databases - the Cloudflare tunnel is to my GCP VPC, which has a NAT Gateway & public IP allowlisted by the Azure SQL database. I do this by creating private network groups according to the public IP ranges Azure has allocated to Azure SQL.

This used to work, but the traffic is no longer being routed via my tunnel - can anyone please help me get this working again, or clarify if this functionality is no longer supported?