This cannot be achieved directly using a VPN gateway with S2S established connection. Azure Tenant and on-premises active directory are different and are not completely similar. You need to deploy Azure Active directory Domain Services here. Azure AD DS provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory.
One of the prerequisites for this setup is Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. The process to join a managed domain is the same as joining a regular on-premises Active Directory Domain Services domain.
Now, configure secure LDAP for an Azure Active Directory Domain Services managed domain
Note: The on-premises firewall should also support this secure LDAP over Internet.
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.