Just in case if anyone out there is pondering about mutual authentication of agents and Beacon over the Internet, on Azure the best solution in my opinion is to use Application Gateway (v2) instead of IIS. Exposing a VM to Internet using IIS-configured certificate authentication is available, but likely not the most secure method. App GW v2 allows certificate authentication via SSL Policies at the front end as well as in the back end if required along with end-to-end TLS. Once App GW v2 and certificates are set up, beaconengine.config needs to be configured to use the app GW public DNS name instead of beacon hostname. Naturally certificate revocation checks need to be disabled on agents when using self-signed certificates.
Note that self-signed certificates do not work at the back end of App GW v2 (or at least I could not make them work without the 502 error) but you can do http at the back end without problems as https is already used at the front end. With trusted certificate https should work at the back end as well.
See the attachment for simplified configration diagram.