No, there is no way to block which IP address the Z3 can establish its tunnel from - that is the ease of the Meraki solution, you don’t need a static IP address. You’ll have to lock the Z3 on the LAN side so that if it is moved somewhere else it is useless unless the right credentials are used on the LAN side - e.g. look at using 802.1x on both wired and wireless.
Obviously, if you know the device has moved you can shut down the VPN tunnel manually. Using this principle you could write a script to monitor the WAN IP address of the Z3 using the API, and if changes then drop the VPN. (Although I don’t think there is an API endpoint to drop the VPN, but you can remove the subnet from the site-to-site VPN which should have the same effect).