The outbound policy for domain name doesn’t always work. It requires a reverse DNS to match your domain name. Since most stuff is done via the cloud - reverse DNS seldom resolves to the DNS entry that you used to get the IP address. i.e. www.xbox.com will give you 5 returned IP addresses. If you do a reverse DNS lookup on any of those IP addresses - you won’t get back xbox.com.
I brought it up back in 2017. Routing by DNS name
Is that something that might be causing what you are seeing?