Azure Virtual Machine Firewall
I'm not overly familiar with Watchguard, however assuming it only supports a single NIC as you say then first you need capabilities to route traffic to your web applications based on the path or url. If the FW doesn't support this then yes you would need something after the Firewall to handle that routing. Application Gateway is one way to do this with Azure and is probably the simplest approach. You could also look at any other reverse proxy like Nginx etc.
As far as being able to RDP to your VM's, I would look to avoid exposing this to the internet and FW at all. I would recommend looking at using Azure Bastion, which effectively provides a jump box as a service, you can then use this to access all your VM's.