Teams Tunnel Zero Trust to Everyone!?

For a VPN replacement I need to manage RDP and other protocols. I’ve created cloudflared tunnel within my trusted network. As there is (AFAIK) no option to route protocols other then HTTP(s) using WARP client or web dashboard, I did call cloudflared access rdp on the client side. This is totally user unfriendly, but I have issues with permissions - seems to me that once client is authenticated, he can access any resources he is aware of.

The access is allowed even if in Teams dashboard doesn’t exist such application and in Gateway Policies > Network is only single rule Block all (Destination IP in

Which part of the puzzle am I missing?