There is a slight but significant difference in setting up your Sophos UTM to connect to Azure via a gateway created in a classic deployment or in an ARM deployment.
This article describes perfectly how to setup a VPN connection to Azure using a gateway deployed via the classic deployment. And this article describes how to create an gateway via an ARM deployment but it does not describe how to configure a Sophos to connect to this gateway.
The biggest difference in the Sophos configuration is that the gateway that is configured on the Sophos, that will be used to connect to the ARM deployed gateway, is that the Gateway Type needs to be Response only and NOT Initiate connection.
There is also a small difference in the IPSec policy and some advanced configuration options need to be changed. Details can be found here.
Lastly but very important is the use of VNet Peering. VNet peering is a mechanism that connects two virtual networks in the same region through the Azure backbone network. Once peered, the two virtual networks appear as one for all connectivity purposes. They are still managed as separate resources, but virtual machines in these virtual networks can communicate with each other directly by using private IP addresses. More info here.
After this you a good to go!