Setting up a transit vnet in Azure

I'm working on setting up a transit VNet in Azure. The idea is to route all traffic coming from on-prem to the transit VNet before it moves on to a separate peered VNet. No matter what I've tried, though, I can't seem to get it to work. Any suggestions or thoughts are welcomed.

• On-prem network is connected to a gateway in Azure attached to the Transit VNet. Hosts in the Transit VNet are reachable from on-prem using the IPSec tunnel between a Palo firewall on-prem to the gateway in Azure.
• Hosts in the Transit Vnet are able to communicate with hosts in a second Vnet (Production Vnet) and vice versa. The two Vnets are peered.
• Hosts on-prem cannot communicate with hosts in the Production Vnet (by design, the traffic should go from on-prem to the Transit VNet before going to the Production Vnet.
• There are no User Defined Routes configured to route the traffic in Azure; the only routes in the "Effective Routes" for devices are the default Azure entries, the Vnet's network itself, then any routes learned via peering.
• The Production Vnet is using the Transit Vnet as its remote gateway. Per (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke), the Transit VNet is set to allow gateway transit, the Production Vnet is set to use remote gatways, and both sides are set to allow forwarded traffic.

Anything I've found online makes it seem like the routing should just work, though I have to be missing something. I tried setting up a User Defined Route in the Production Vnet for the network on-prem but there was no improvement. Eventually I'll be using the UDR's to route traffic to virtual firewalls in the Transit VNet, but I really want to prove the solution should work before cutting over production resources.