Thanks for the reply.
On looking at this closer, I'm not sure if what I need is possible. Specifically, I need to grant VPN access to some contractors, but I need to limit their access to a few servers.
It seems to me that policy-based VPN would work only in restricting the computer that has initiated the VPN connection. For example, if they remote desktop or SSH into an allowed server from their computer, they could then access the rest of the network from that server (since there are no restrictions on the server itself).
I am wondering if I need to VLAN or segment the entire environment into a different subnet.