I have the same problem. I was going to use CloudFare WAF to disable TLS 1.0. However, Cloudflare will not sign the BAA, so if you need to be compatible with HIPAA, you will be closed. Most people have this problem for PCI compliance, so this should not be a problem.
You can copy your application service to the App Service environment and disable TLS 1.0 through the cluster settings. However, you need to upgrade to the Premium level, and you must have at least four servers (2 interfaces, 2 backends), which is even more expensive. Even with four P1s, you look for almost $ 900 ($ 223 / server / month).
You can also configure nginx and make it a reverse proxy with TLS 1.0 disabled. However, now you need to manage the virtual machine. And since virtual machines are technically prone to crashes, you should have two nginx mailboxes in the availability set installed behind the load balancer. Blech.
In short, this is just a terrible situation. I am in the same boat, and I am really angry about it.
I would not mind making an application service environment if it werenβt so expensive.