There's massive differences of using this compared to throwing some keys on a server and opening 22. These systems use the cloud provider's proxying and authz/authn to dynamically grant access.
One could have a box with no public IP and no open ports and still use this to connect.
No, through their in-house proxy tools such as Session Manager or Identity Aware Proxy or whatever Azure has.
> With an SSH key?
Not at the edge, and not an SSH key you manage. A dynamically generated one managed by the cloud provider which exists just for that session. So, not really, not like you're thinking.