A1 - Documentation page
Add a Windows Proxy Connector discusses what this connector should be used for and points to the Active Directory target connector for management of domain accounts. That's what most customers use and it's working.
A2 - Documentation page
Default Ports for Credential Manager documents PAM Server -> PAM Proxy (27077) and PAM Proxy -> AD domain controllers (636) for management of domain accounts. The section about the Windows Proxy is not as clear as it could be, but there can hardly be a real question about what the connection should be. The proxy needs to connect to the port that the domain controllers are listening on. That shouldn't require further clarifications.
A3 - Yes, if direct communication from PAM to AD domain controllers is not allowed, then the Windows Proxy would have to be used. This is covered in previous updates here. An obvious alternative would be to open the firewall and let (only) PAM connect to the domain controllers directly.