The internal load balancer provides a "redirect" service. So the users browser or PAM client is redirected to the actual node. There may be cases where you don't want the user to ever connect directly to the actual node. So you would use an external load balancer to "forward" the request to the actual node instead. The end user only ever sees the FQDN of the load balancer
You may also want to split traffic in some logical way. E.g. You have a 4 node cluster. All user requests are served by nodes 1 and 2 and all A2A requests are served by nodes 3 and 4. External load balancing can achieve this.
And if you have a multi-site cluster, you may want to send users to the site closest to them, so geo-based external load balancing could be used.
These are some reasons. There may be more depending on the customer environment (e.g. different process for obtaining SSL certs for external load balancer and PAM appliances etc.)