You can do this simply with the following
Rule 1 - VDI to AD Server (Server ports) = Allow
Default L3 Rule = Block
If you still cannot logon, you probably also need to add rules for things like DNS (and other required services) above the default deny rule