Global protect with LOOPBACK Interface

GlobalProtect Agent Connection Failure with Custom Port (23590) - Loopback Gateway Issue

I have a Palo Alto NGFW (public IP: 80.75.164.100) connected directly to the internet with a DNS record (vpn4.example.com) pointing to this IP. I’m trying to configure GlobalProtect Agent to connect via a custom port (23590) instead of the standard port 443, so I’ve created a Destination NAT rule that translates 80.75.164.100:23590 to 172.31.200.200:443 (a loopback interface on the firewall). The problem is that when I set the GlobalProtect Agent gateway address to 172.31.200.200:23590, the Agent connects successfully up to the authentication stage (I can enter username and OTP), but immediately after authentication completes, the connection drops and displays the error: “Gateway example-VPN: The network connection is unreachable or the gateway is unresponsive.” Interestingly, the Clientless portal (browser-based access) to the same custom port works perfectly fine, which tells me the NAT policy and security policy rules are functioning correctly. My question is: is the issue that I’m configuring the Agent gateway address as the loopback interface, and remote clients cannot reach loopback addresses because they are only accessible locally on the firewall itself? Should I instead configure the Agent gateway address as the public IP (80.75.164.100:23590) or the DNS hostname (vpn4.exqmple.com:23590) and let the NAT rule handle the translation to loopback? If so, do I need to modify the NAT policy or security policy, and is there a source NAT requirement for return traffic from the loopback interface?