If you have web-tier authentication enabled on the WebContextURL it cannot be used for the privatePortalURL. For architectures where the backend servers are able to access the WebContextURL for Portal for ArcGIS, it's easy to match the privatePortalURL to that value to avoid the need to provision a separate listener on the LB.
The privatePortalURL for an HA site does need to be load balanced so in the case of a single Portal for ArcGIS machine going down the federated ArcGIS Server sites/machines still have an administrative connection to the remaining Portal for ArcGIS machine.
The example, https://lb.example.com/portal, is a stub URL used to build the full URL by the underlying components, so would be correct with the caveat mentioned above.
-- Chris Pawlyszyn