If you want to allow just some AD group to use an external access you can do that in diffeent way using the Security Rule (eg. in the Virtual Proxy configuration you can Extend Security environment and track the source IP on what of which build the Security Rule or using the coming Virtual Proxy for that).
If the access come from the Public Network you can also consider to put a new proxy in DMZ.
You need a full qlik sense server. You can place it on the Internet with SSL certificate and all customers can take full advantage of self service BI.
But here it is necessary to count the number of licenses (tokens).
You can add the hub URL to the whitelist in QMC. Otherwise it'll throw error.