You are thinking in an old school device-centric manner, not a modern cloud orchestrated manner.
The device does not decide who connects to it via AutoVPN. The cloud does. So if you have configured one spoke to connect to a hub and another that can not, the cloud will control it and make sure that is what happens.
If you are instead referring to what traffic can flow from one subnet to another over AutoVPN - then that is done using the VPN firewall rules. Once again, this is not device-centric. You specify it globally, and the cloud applies those policies to all devices and the network as a whole ensures the security policy is met.