I will re-state the problem to make sure I understand.
- You want mobile devices to be able to get email from Exchange over the Internet.
- You want computers to only be able to get email when they are connected via VPN.
This is not an easy problem to solve.
The easiest and cheapest way I can think of is to use AnyConnect - and only allow VPN access, even for mobile devices (you would need to install AnyConnect on those mobile devices). For mobile, the VPN would be started - and then left running. You would never disconnect.
I have not tried on mobile - but at least on desktop you can configured AnyConnect to start automatically, so users don't even need to do anything. If this is supported on mobile you could make it pretty seamless.
If I was giving advise strategtically - I would say get rid of on-premise Exchange as quick as you can and migrate to Office 365. Exchange on-premise is an ongoing security nightmare. Note that Microsoft is deprecating Exchange on-premise - so you will be moving off it - either when you choose on your own terms - or forcibly by Microsoft. You get to choose the timeframe for that shift at the moment.
The next option I can think of is to change your thinking, and move to zero trust. Implement Cisco Duo and use the "Beyond" plan. Configure Cisco Duo to only allow authorised company devices to be able to connect to Exchange (if can do this for lots of apps). Then only allow authorised mobile devices, and every device that is an AD member, to connect to Exchange over the Internet. For bonus points implement a security restriction so devices have to first pass a health check (such as having antimalware, that antimalware is not reporting that the device is compromised, has recent patches installed, etc).