I assume some things here which may be wrong:
one pfSense cluster = HA group
Azure connection = your IPSEC goes to your Azure server/cluster
We use a setup something like this one currently, just not connected to Azure but another third party. This has been used for a few years now with no issues. We only have one pfSense though, not an HA group on our side.
For the interface, we use a two-tiered gateway failover group, and on the other side, there are two profiles set, one for each of our VPN IPs. I imagine a load balance group would work the same for IPSEC, just not prefer one over the other?
By the time we replace our aging firewall with an HA failover group, we could use the CARP IPs in the failover group I guess? In reality, we'll likely go for BGP as well by then, but our IPSEC solution currently works fine without BGP.
If I have misunderstood something, then please elaborate.