Thanks for your reply.
Nowadays, we have around 15 different vnets deployed in a hub and spoke arquitecture. Every vnet have peering to firewall subnet but not between vnet-vnet.
Also, we have different route tables applied to every subnet that force traffic to the virtual appliance. Also we have checked rules that are configured at firewall level and its not allow traffic to different subnets.
Every subnet have UDR that force traffic redirection to firewall and overall every route table has an implicit rule to destination 0.0.0.0/0 to azure firewall ip. Every route table have disabled option route propagation. Also we have checked network path using azure network watcher tool, and we could see that traffic flows throught firewall.
Futhermore, we have taken different packets captures in both sides and MSN has checked too, but support team haven´t find why different flow are allowed.
In addition we have checked with MSN help routes and fw rules too, but they haven´t seen any particular reason yet.