Container registry webhook to App Service with private endpoint gets 403 Forbidden

Situation
We have: App Service with VNet integration and private endpoint, Application Gateway (for SSL offloading) routing public requests to App Service, DNS zone and Private DNS zone are set up. One picture for thousand words:

Problem
Continuous deployment process does not work: in the deployment center of the App Service I have configured to pull the image tagged as latest from the Container registry (it gets deployed just fine) and I have also checked the Continuous deployment "yes". The App Service created a webhook in Container registry's configuration.

• When a new image tagged as latest is pushed to Container registry the webhook is triggered but receives 403 Forbidden from the App Service's SCM endpoint.
• When trying to ping the webhook from Container registry's configuration page manually it also receives 403 Forbidden from the App Service's SCM endpoint.
• When making manual HTTP POST request from the Linux Virtual Machine (using wget or curl) it receives 401 Unauthorized from the App Service's SCM endpoint.

I have double checked:

• the username/password is correct
• the URL & Authorization header in wget/curl are correct
• application gateway with App Service works correctly (App Service's private endpoint is reachable)
• manual request (wget, curl) to App Service from Linux Virtual Machine also works just fine (App Service's private endpoint is reachable)
• DNS lookup for mywebapp.azurewebsites.net resolves correctly to private IP address
• DNS lookup for mywebapp.scm.azurewebsites.net resolves correctly to private IP address

Why we are always receiving 403 Forbidden / 401 Unauthorized from App Service's SCM endpoint?

Any help/ideas would be appreciated, I need to finish up setting the CD process.

Thank you.