If I understand correctly you don't want your users to be able to access the internet, but you do want them to be able to reach out to the local subnets and the subnets of the other sites participating in the Site-to-Site VPN.
- Close of the regular firewall in Firewall & SD-WAN > Firewall > Outbound Firewall by adding a Deny all rule.
- And if needed, add allow rules for the local subnets of the site so communications between local VLANs for which the MX is routing will still work.
- Then in Firewall & SD-WAN > Site-to-Site VPN there's another set of firewall rules for inbound and outbound traffic going over the site-to-site VPN tunnels, but these are open by default so that communication should already take place.
That's about it imo (I haven't tested this).
That should do the trick imo.