To begin resolving connection issues between your Azure Bastion Service and a VM, check the VM is running.
The VM doesn't need to have a public IP address, but it must be in a virtual network that supports IPv4. Currently, IPv6-only environments aren't supported.
Azure Bastion can't work with VMs that are in an Azure Private DNS zone with core.windows.net or azure.com in the suffixes. This isn't supported because it could allow overlaps with internal endpoints. Azure Private DNS zones in national clouds are also unsupported.
If the connection to the VM is working but you can't sign in, check if it's domain-joined. If the VM is domain-joined, you must specify the credentials in the Azure portal using the username@domain format, instead of domain\username. This change won't resolve the issues if the VM is Microsoft Entra joined only, as this kind of authentication isn't supported.
The AzureBastionSubnet isn't assigned an NSG by default. If your organization needs an NSG, you should ensure its configuration is correct in the Azure portal.