To have fully functional BGP over IPSec tunnel, you need the support of Route-based IPSec, or as others called it VTI.
With VTI, you have a dedicated interface for IPSec tunnel, and policy is set to allow any to any within this tunnel, and then you manage your traffic on the route level, instead of managing IPSec policies.
Mikrotik does not have this feature, though it requested 10 years ago (check the forum).
You can still connect Mikrotik to Azure route-based Gateway and advertise your routes to Azure via Mikrotik BGP instance, but the routes received from Azure will not work on Mikrotik.
You have to use static IPSec policies on the Mikrotik level. As I tested, Azure gateway does not support transport IPSec mode, only tunnel mode. So creating Transport IPsec policy for IPIP tunnel on Mikrotik will not work...