Authorization policy for restriction based on Client IP not working

Deployed Istio 1.10 on AKS cluster.
We are using Azure Application Gateway as the frontend and Istio gateway as the backend.
Traffic from the internet will be routed like this :

Traffic >> Azure Application Gateway >> Istio gateway >> Microservice

We have some microservices which we want to be accessible from VPN.
Therefore we are using Authorization policy which will check the Client IP and restrict the access to microservice based on Client IP.

Below Authorization policy will restrict the access to http://hostName/httpbin if not accessed from given IP.

Authorization policy :

kind: AuthorizationPolicy
  name: ip-restriction-policy
  namespace: istio-system
      istio: ingressgateway
  action: DENY
    - from:
      - source:
          notIpBlocks: [ "" ]
        - operation:
            paths: [ "/httpbin/*" ]

But this policy is not getting applied as we can see from the istio gateway logs, two ips are sent as Client IP, i.e,,

One more IP of proxy server is getting appended to Client IP.
Does anyone handle such a scenario?