Is there something else I need to be doing here to get this working?
If you just use an Azure SQL Database, which is a Paas in Azure, itself is not located inside a VNet. You can directly add the client Public IP in the firewall of Azure SQL Server. Whereas this is not your expectation. You need to make it inside a VNet, then you can do these followings.
If you are using a SQL Managed instance which located inside a VNet, want to access the Database instance from on-premises with a private address, you need to make a VPN connection or ExpressRoute connection between the on-premise and the Managed Instance VNet.
Now, you have a P2S VPN connection, you still need to make VNet peering with Gateway Transit between the P2S VNet with SQL instance VNet. Note: To use remote gateways or allow gateway transit, the peered virtual networks must be in the same region. To do so, make the following very specific changes under the Peering settings.
In the VNet that hosts the VPN gateway, go to Peerings, then to the
Managed Instance peered VNet connection, and then click Allow
Gateway Transit.
In the VNet that hosts the Managed Instance, go to Peerings, then to
the VPN Gateway peered VNet connection, and then click Use remote
gateways.
Once the peering complete, you can check the status on the Azure portal. You need to remove the VPN client and re-download it and re-install it on your laptop, this will make the route update on your client side.
If you've established on-premises to Azure connection successfully and you can't establish a connection to Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as 11000-12000 range of ports for redirection.
For more reference, you can read Connect your application to Azure SQL Database Managed Instance.
