It is possible to put the IoT Hub service endpoint on a virtual network with a private endpoint while still having the ingress endpoint for D2C messages, twin updates, etc. exposed to the public internet. This can be achieved using Azure Private Link for ingress connectivity to IoT Hub and using trusted Microsoft services exception for egress connectivity from IoT Hub to other Azure resources. Private endpoints can be set up for IoT Hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use Virtual Private Network (VPN) or ExpressRoute peering to gain connectivity to your VNet and your IoT hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using IoT Hub IP filter or the public network access toggle. This approach keeps connectivity to your hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.
Answer: Yes, it is possible to put the IoT Hub service endpoint on a virtual network with a private endpoint while still having the ingress endpoint for D2C messages, twin updates, etc. exposed to the public internet using Azure Private Link for ingress connectivity to IoT Hub and using trusted Microsoft services exception for egress connectivity from IoT Hub to other Azure resources.
References: