We ended up using the powershell script here https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to re-publish the FQDN of the server. Also changed the DNS so the FQDN pointed internally.
I think this script must have set the FQDN in a part of the config that had never been specified before, causing the RD Gateway to refer to itself by its FQDN to hand off requests. These requests failed at our firewall because we only allow port 80, 443 , 3391 through.
We don't have the option to add port 3389 to the loopback rule on the firewall and we don't want to open 3389 either, otherwise this would resolve the problem immediately.
Is there another way we can resolve? maybe changing the code and reversing the hand off requested.
Thanks
Chris