Preserve source ip of external TCP service (proxy-protocol)

Hi, I would like to configure envoy to preserve source ip of the connection into the cluster.
Using managed Kubernetes (AKS) with Azure Loadbalancer, versions:
Istio: 1.16.1
Envoy: 1.24.2-dev

As a single ingressgateway handles HTTPS/TCP traffic, Envoyfilter configuration looks like:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol
  namespace: istio-system
spec:
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: proxy_protocol
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
            allow_requests_without_proxy_protocol: true
        - name: tls_inspector
          typed_config:
            "@type": "type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector"
  workloadSelector:
    labels:
      istio: ingressgateway

IstioOperator ingressgateway is set as a Daemonset, with externalTrafficPolicy Local

ingressGateways:
    - enabled: true
      k8s:
        overlays:
        - apiVersion: apps/v1
          kind: Deployment
          name: istio-ingressgateway
          patches:
          - path: kind
            value: DaemonSet
          - path: spec.strategy
          - path: spec.updateStrategy
            value:
              rollingUpdate:
                maxUnavailable: 1
        service:
          externalTrafficPolicy: Local

Source of the traffic is clients using proxy-protocol, while destination is RabbitMQ server inside the cluster. The aim is to show connection origins in management UI.
Azure Loadbalancer preserves client ip, however currently only istio-ingressgateway pod ip is shown, but not IP of origin.
Do you have any advice what should be checked/modified?
Thank you