Hi @-M , I understand that you want to restrict internet access from some of your VMs using Firewall FQDN rules.
The default route forwards traffic to/from internet to Azure Firewall. This has an implication that VMs in the subnet with the default route will not have a direct access to internet. You need to configure Firewall rules to enable inbound/outbound traffic of the VMs. You may have outbound traffic configured with your Firewall FQDN rules, but without any inbound traffic, you can't reach your VM.
If you want to RDP directly to your VMs after default route is applied in the VMs' subnet, create a DNAT rule in your Firewall, translating your Firewall's public IP address with certain port (eg. port 6001) to your VM's private IP address port 3389 (RDP) - you may want to put restriction that only your laptop's IP address is allowed (Source IP address in your Firewall rule = your laptop's public IP address). Then your laptop can connect using RDP client to Firewall's IP address on port 6001. You can create additional DNAT rules for other VMs, for example port 6002 for second VM, and so on.
Your Bastion is on a different subnet from your VMs, so after you apply default route to your VM's subnet, you can still connect to your VMs via Bastion, as long as you don't apply default route to your Bastion subnet. Bastion will connect to your VMs using private IP address.
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.