Thanks so much Francis, yes that seems to be have worked. When the application is accessed outside our domain, it doesn't try to negotiate which would pop up the Windows authentication prompt and would never work anyways, but if the user is inside our domain either by being physically inside the building or through a VPN, the negotiate header is there to allow for automatic sign-in using their Windows credentials.

As you suggested I used a map:

map $external_traffic $negotiate {
1 '';
0 $upstream_http_www_authenticate;
}

Then inside the location block I removed and conditionally added the WWW-Authenticate header:

proxy_hide_header WWW-Authenticate; # Remove negotiate header
add_header WWW-Authenticate $negotiate always; #Add negotiate header for internal addresses

Thanks again!
Neil