The internal vs external could be a problem if both addresses are not part of the certificate’s CN or Subject Alternative Name. Also the redirectURIs should probably point to external address.
The way the Dex authentication works is you come in from ood0097ca.westeurope.cloudapp.azure.com and then will get redirected likely to ood0097ca.westeurope.cloudapp.azure.com:5554 for Dex.
You can check your cert with something like openssl x509 -noout -text -in /etc/ood/dex/ood0097ca.westeurope.cloudapp.azure.com.crt. The Subject should have one of those internal or external addresses like CN=ood0097ca.westeurope.cloudapp.azure.com. You will then need to ensure there is a X509v3 Subject Alternative Name with a value like DNS:ood.gccuyzl1gunezber3txbsvqcja.ax.internal.cloudapp.net.
If possible you should probably only use the external address with Dex and not use the internal address since the external address is what Dex will see from user requests as well as what it needs to redirect back to. The default behavior of the ood-portal-generator is to use the address from servername config option and if that’s not defined uses the hosts FQDN. You could try adding this to ood_portal.yml:
servername: ood0097ca.westeurope.cloudapp.azure.com