Hello anonymous user ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to implement a hub and spoke architecture where each customer corresponds to one spoke and all the traffic should be forced to go through Azure Firewall when customers wants to reach their workloads via either S2S or P2S VPN.
The VPN client address pool is a range of private IP addresses that you specify (this range shouldn't overlap with the on-premises location that you connect from, or the VNet that you want to connect to). The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Since all the spoke/customer Vnets will be connected to the Hub Vnet where the VPN gateway is situated, you need to enable BGP and "allow gateway transit" on the VPN gateway to be able to access the peered Vnets from P2S VPN clients and hence all the 3 Vnets address ranges will be advertised to the P2S VPN clients.
Refer : https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multivnets2sbranchbgp
To avoid customer1 access to customer2 workloads, it is better to go with one VPN gateway for each customer or use a 3rd party NVA for separate VPN address pools.
You can also opt for Azure Virtual WAN where you can isolate Vnets and branches along with Azure Firewall to inspect the traffic.
Refer : https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-isolate-virtual-networks-branches
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.