Assuming we're talking about using ClearPass as a RADIUS server, you can list multiple Authentication Sources in a single service, if the account cannot be found in the on-prem AD source, it'll fail through to the next one. This way you can use a single SSID with multiple auth sources.
The real question is integrating Azure AD with ClearPass at that point, and I'm assuming that should work fine as long as the ports are open to communicate. I would make sure you do LDAP over SSL since the connection will be outbound through the internet. I also don't know what type of lookup times you may see since it's not local, but I think technically it should be possible. I haven't done it myself, but I imagine it should be very similar to setting up the on-prem LDAP, just public IP instead of private.