I finally figured it out: the connection FQDN included the word "secure".
This won't allow server-side refresh: <database name>.database.secure.windows.net.
This will allow servers-side refresh: <database name>.database.windows.net
Both FQDNs seem to work otherwise. The 'secure' setting was used to enable auditing, but I don't think it is required anymore.
Problem solved. Thanks everyone.
-Jeff