Windows Authentication on Azure VM using Azure AD account from remote client

Issue

When connecting with Windows Authentication "Cannot connect to 172.16.1.5. The target principal name is incorrect. Cannot generate SSPI context." Nothing appears in the SQL Server log.

Environment/Configuration

O365 Azure VM

SQL Server Standard 2016 SP1, Default Instance, installed on Windows Server 2016

Windows & SQL Server Authentication enabled

Allow Remote Connections To This Server Enabled

Configuration Manager>Protocols for MSSQLSERVER>TCP/IP -> all enabled (IP1, IP2, IP3, IP4, IPALL) port 1433

Azure Joined Workstation

Connected using Peer to Site VPN to Azure virtual network

SSMS 17, can successfully connect using IP or host name using SQL Server Authentication.

Diagnostics

Kerberos Configuration Manager reports that "TCP must be enabled to use Kerberos Authentication on SQL Service 2016 Standard Edition Engine" Windows Firewall is off (temporary while troubleshooting connectivity). It's probably something ridiculous, but I can't find it.