Thank you for reaching out.
I understand that you have an Azure virtual machine with IIS configured for NTLM AD provider authentication. This allows domain users to access the site transparently. However, you want to improve security and utilize WAF2 for protection. Unfortunately, you discovered Application Gateway v2 doesn't support NTLM.
Yes, your understanding here is correct and Application Gateway v2 doesn't support NTLM. The Azure Front Door Service is also not validated to work alongside NTLM authentication and I checked internally can could find that customers have run into issues while using Azure Front Door Service with NTLM auth.
The recommended solution in this case is to update authentication method instead. It will also help if you could upvote this feedback item for this request on our feedback portal.
If it helps you can also go through this blog post on how the windows team is reducing dependencies on NTLM.
Hope this helps! Please let me know if you have any additional questions. Thank you!