Thanks for the responses! 
I’m using Google Domains; they provide my nameservers and offer straightforward DNS configuration. But…
I have a CNAME on Google Domains, which points to an FQDN resolved by Azure to my VM’s IP. Perhaps this is the issue, since Azure DNS does not support DNSSEC… However, I’m not using “Azure DNS” per se, but their Public IP Address option (see relevant documentation).
Perhaps I should try pointing directly to the IP and see if that resolves it…?