I am trying to run SQL queries against an Azure managed instance from a Powershell script in an Azure automation account runbook. And I'm getting an "unable to connect" error that looks like a network level one. The script is as simple as can be:

Connect-AzAccount -Identity$Token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).TokenInvoke-SqlCmd -Server "" -AccessToken $Token -Query "select * from sys.databases"

Powershell 5.1 worker. The prerequisites are the SqlServer module in the automation account, a managed identity on the automation account, and a SQL Server login for the latter on the instance.

The full error goes:

Invoke-SqlCmd : A network-related or instance-specific error occurred while establishing a connection to SQL Server. 
The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is 
configured to allow remote connections. (provider: TCP Provider, error: 0 - A connection attempt failed because the 
connected party did not properly respond after a period of time, or established connection failed because connected 
host has failed to respond.)

The target SQL server is an Azure SQL managed instance (not an Azure SQL database, not a SQL Server on a VM). The managed identity of the runbook has a login on the SQL Server level. The managed instance sits in a VNet/subnet. I've seen advice elsewhere to create a private endpoint for the runbook on the same VNet/subnet - I cannot, because the subnet in question has delegation. Creating a private endpoint in a different subnet of the same VNet doesn't help (although usually it's enough for TDS). The network security group on the VNet has an "allowed" rule for incoming TDS. Public access to the SQL instance is not enabled.

Can someone with an Azure subscription please test the basic scenario of hitting a managed instance with a SQL query from a runbook?