I am facing the same issue, I created the NCC, I am able to reach from onprem. yet, when not able to send traffic to the internet, thus I created a VPN tunnel between HUB-SPOKE, and a default route using the tunnel from the spoke and a reverse route to the nodes subnet on the HUB, yet the Traffic is intermittent, return traffic is lost somewhere. I really appreciate to share the best practice, so the solution proposed will be able to assist all possible traffic scenarios (will the DNS-based endpoint solve it) rather than using a mix of NCC+VPN

Thanks,