I have not tried Azure Application Proxy with the classic client but I have with the Kinetic web client in a small test case and it seemed to work. You create a map of external resources to internal ones. So https://erp.domain.com/instance/ maps to https://erp.domain.local/instance. You can set up multiple maps. Local agents on your network (for redundancy in case a server is down for any reason, and performance by not funneling every request through one queue) will accept calls from the outside and then send responses back. At that time, we were using the self-signed cert, and you upload it to the service so it was considered trusted. But now you can get a Let’s Encrypt cert and deploy it locally without exposing your internal system to the Internet.
As a rule, I prefer to reduce the access surface to internal resources. I would never run an IIS or Exchange server on prem and expose it to the Internet. But that’s me… 
You may also try something like Tailscale, which is a safer VPN service since it’s not like Exchange or IIS that sits at your perimeter and waits for connections either.
**EDIT: I believe that Microsoft will provide a Cert for the Application Proxy Service for the external address.