CVO is an ONTAP VM, ANF is physical hardware at Azure's data center that is managed by us, which you get a volume. File auditing is available as in normal ONTAP, so is FPolicy. I am unsure if ANF is sold with FPolicy support but it should be able to work since it is an ONTAP feature.
So from this I understood, If we use CVO, An Ontap VM is created in our cloud platform(Azure or AWS or GCP) and this Ontap VM will store and Manage the Data. If we use ANF, physical hardware at Azure's data center that is managed by netapp, from which I'll get a volume.
Also Is there a way to send the event logs from ANF and CVO to siem like splunk (forwarding logs in syslog format or writing as evtx file).