I think this is going to be a complicated path to go down - though not impossible, it will likely require a lot of trial and error. Using tools like APIM requires a very detailed understanding of how to forward traffic / reverse-proxy traffic through that service. We do have guidance on the Trust Center at https://trust.arcgis.com on Azure WAF Rules, which may help with that tier.
In addition, note that accessing the same Portal/Enterprise deployment using two different URLs is not a supported pattern - the software assumes a consistent WebContext (eg. https://myserver.domain.com/portal) is used by all users who access the Portal. So, I would suggest rethinking that component to identify what is driving you towards separate internal/external access and whether that can be accomplished in a different pattern.