Yes, port 9999 is indeed required for outbound. What IPs you should allow depends entirely on what you want to allow. If you're going to use Synthetic, then you should allow the IPs of the Synthetic nodes that you're going to use to communicate with the Cluster ActiveGate. If you're using Agentless monitoring on a publicly available web application - then I assume all IPs should be able to send traffic to the Cluster ActiveGate.
Public endpoint is needed when you are using agentless rum monitoring or mobile rum monitoring (in aproaches where RUM data are sent directly to dynatrace). In such option you don't need to expose whole DT cluster, you can do it only with ActiveGate.
Be aware that if, for mobile applications you have instrumented API web server, you can change application settings for sending beacons there (the same like it was in Appmon). But when you have mobile app monitored without backend it's not possible.