Unable to connect leaf device over MQTT to Azure Edge device

I have an azure IoT Edge device set up as an ubuntu linux VM on vmware. It is connected to my IoT Hub without any problems. I'm trying to register a leaf device (raspberry pi - which I have successfully connected to the IoT Hub directly - i have removed the device from the hub). The Edge device is set up as a transparent gateway. When I attempt to register the device through the Edge, I'm getting Connection refused. The iptables on the edge device are set up to forward MQTT to the edgeHub container which is on the azure-iot-edge docker network. This is within the device registration samples from the python sdk. The exact error I am getting is

MQTTTransportStage: _on_mqtt_connection_failure called: Connection Refused: not authorised.
MQTTTransportStage(ConnectOperation): completing with error Connection Refused: not authorised.
SerializeConnectOpsStage(ConnectOperation): op failed.  Unblocking queue with error: Connection Refused: not authorised.
EnsureConnectionStage(MQTTSubscribeOperation): Connection failed.  Completing with failure because of connection failure: Connection Refused: not authorised.
EnsureConnectionStage(MQTTSubscribeOperation): completing with error Connection Refused: not authorised.
ProvisioningMQTTConverterStage(EnableFeatureOperation): completing with error Connection Refused: not authorised.
MQTTTransportStage: _on_mqtt_disconnect called: The connection was refused.
Unhandled exception in background thread
MQTTTransportStage: disconnection was unexpected
This may cause the background thread to abort and may result in system instability.
Exception caught in background thread.  Unable to handle.
azure.iot.device.common.transport_exceptions.ConnectionFailedError: The connection was refused.

It appears that the forwarding is not happening. This is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8883
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:amqps
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:https

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere