To prevent LAN users from using a specific VPN application, enable SSL Deep Inspection + application control profile in the firewall policy.

1.  Select Security Profiles -> Application Control, select the application profile, and select 'Edit'.
2. In the Profile, select 'Create New' under the Application and Filter Overrides section.

3. Search for the VPN Application, select the signature, and then select the button '+ Add Selected'. Repeat the process for QUIC and then add to Action the option Block.

It is necessary to block the QUIC protocol since UDP/443 is used for some applications, including some VPN applications, to avoid inspection.

4. Add the application control profile to the desired Firewall policy. Also, enable SSL Deep Inspection on the Firewall policy.

Related documents:

Technical Tip: How to enable deep inspection and import a certificate in the browser

Technical Tip: How to import CA certificates into IOS mobile devices

Technical Note: How to import CA certificates into Android devices

Application Control 
Technical Tip: How to block third party VPN