Cloud app conditional access exceptions

I have a lot of issues with attackers coming from VPN and anonymous IP's.  Im trialing a Conditional Access policy to apply Conditional Access App Control.

Ive created a Cloud App, Access Policy to blocks using IP address, Category, equals and listing a few categories like VPN and Risky.

Then another Access policy to block IP address, Tag, equals Tor, Anonymous, Random, Botnet etc.

Testing shows this works.  But I've been asked what if we wanted to allow a specific service like NordVPN.  How can I achieve this?