We have configured a group policy and AnyConnect profile for SAP users hosted on AWS Cloud. The cloud setup includes SD-WAN with vmX configured in a VPC.

Current Scenario:
SAP users can access only SAP applications as expected.
Non-SAP users are also able to access SAP applications and other servers, despite policies in AD.
Group policies in AD are not being enforced correctly.
Key Issue:

Documentation states:
"The MX does not support mapping group policies via Active Directory for users connecting through the client VPN."

Given this limitation, how can we achieve the desired policy enforcement to restrict SAP access for non-SAP users while ensuring proper access for SAP users?

Additional Context:
We aim for a solution that enforces group-specific restrictions.

Looking forward to recommendations or workarounds!