Private endpoint + DNS
If DNS resolves to the public IP, your traffic goes public—even with a private endpoint. Private endpoint needs DNS attention. Service hostname should resolve to private IP. Private DNS zone often provides the mapping. First check when 'still public': DNS resolution.