Is it possible to create exceptions per resource for a policy, or is one limited to only subscriptions or resource groups?

Our scenario is that we using route tables to route all traffic from resources in Azure through the Palo firewall we have in Azure and when I review Security Center I see the following recommendation -

Internet-facing virtual machines should be protected with Network Security Groups

that doesn't apply to our resources as there is no need to be protected by NSGs when all traffic is sent to the Palo firewall.

I checkced documentation and only way I can think to address this is by creating resource groups for internal resources and then adding those RGs as exceptions for the policy.

Was curious if anyone was doing something like this or maybe has a better suggestion/recommendation.

Thx