How to target Azure VPN (Microsoft-Registered) app with Conditional Access Policies?

I have an Azure Point-to-Site VPN Gateway configured using the Microsoft-registered Azure VPN Client App ID (Audience value: c632b3df-fb67-4d84-bdcf-b95ad541b5c8). Everything is working correctly for our users. The issue I am having is that anyone with an Entra account can connect to the VPN and I want to restrict this with a blocking Conditional access policy. I do not want to create a custom app registration, because then I will have to change the 'audience' value on the app gateway and all user's will need to modify their VPN clients. 

The problem is I need to target the Microsoft-registered Azure VPN app in a Conditional Access policy but it does not appear in my Enterprise Applications list or in the CA app picker when searching.

My questions:

1. Why does the Microsoft-registered app not automatically create a service principal in my tenant the way other Microsoft apps do?
2. Is there a supported way to make it appear in the CA app picker without creating a custom app registration or changing the gateway Audience value?
3. Has anyone successfully targeted c632b3df-fb67-4d84-bdcf-b95ad541b5c8 in a CA policy while keeping it as the gateway Audience value?

Thanks for the assistance here