I don't know of anything that will restrict VPN access by MAC address, but you can restrict access to authorised devices.
I don't think this works "right now", but it shouldn't be far away.
You will have to use Cisco AnyConnnect with SAML authentication against Duo. At the moment, AnyConnect uses its internal web browser to process the authentication, but I believe this is being replaced by an external browser soon.
If you use Cisco AnyConnect, and SAML authentication against Cisco Duo, then you can use Duo Trust.
https://duo.com/product/device-trust
With Duo Trust you can create rules to only allow trusted devices. One of the trust requirements you can specify is that a device must be "healthy".
https://duo.com/docs/device-health
One of the health requirements you can specify is that a machine must have a registered GUID in Duo (which is like MAC address but more secure). If you do this, then you can say only registered machines can log in via VPN.
https://duo.com/docs/trusted-endpoints-generic-device-health
If you only use the trusted devices it might even work now with the AnyConnect embedded browser now - I don't know. I haven't used it in such a limited scope. But wider health policies, like requiring machines to have specific patches, be running antivirus, etc, will definitely need the AnyConnect external browser support.
You need to have a Duo Beyond plan to get the above features.
https://duo.com/editions-and-pricing