App service in virtual network not always using virtual network integration

Question

I have an Azure App Service and SQL database integrated with my virtual network. However, some (but not all) connections to the database from the web app still seem to be coming from a public IP.

Connections to the database occur via C# WebMethods. Requests are made to the WebMethods via AJAX from the front-end.

The error I'm getting on some connections is:

"An error occurred while establishing connection to remote data source: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Reason: An instance-specific error occurred while establishing a connection to SQL Server. Connection was denied since Deny Public Network Access is set to Yes (https://docs.microsoft.com/azure/azure-sql/database/connectivity-settings#deny-public-network-access). To connect to this server, use the Private Endpoint from inside your virtual network (https://docs.microsoft.com/azure/sql-database/sql-database-private-endpoint-overview#how-to-set-up-private-link-for-azure-sql-database).

If I enable "public" access but disable the option to allow Azure resources to connect (i.e., because I don't want people in other Azure subscriptions to be able to connect to my database), the error changes to "Cannot open server 'dbname' requested by the login. Client with IP address '20.x.x.x' is not allowed to access the server."

So the IP it's connecting from is a public IP, not one in the vnet.

This is only happening on some connections. Sometimes the connection is successful. The database is being connected to using a single connection string that is updated to the correct private endpoint (databasename.privatelink.database.windows.net).

Any suggestions on what might be happening? I was suspecting an outbound DNS issue, but I don't know where it might be originating. Thanks for any help!