Set Up Device-Specific Tally Access on AWS EC2 (Windows + VPN)

I have a licensed Tally installation on an AWS EC2 Windows instance. There are 7 Tally users within our organization, and I need each Tally user to be restricted so they can only access Tally from one specific laptop/PC. Even if they connect via our VPN, they should not be able to log in from any other device. Key Requirements: Tally Environment: Already installed on an AWS EC2 Windows Server, with 7 Tally users. Device-Specific Restriction: Each Tally user must be permitted to log in only from their assigned device. VPN in Use: We have an AWS VPN connection. If a user tries to connect through the VPN from an unapproved device, it must deny Tally access. Possible Approaches: VPN certificate/device binding Windows account / RDP restrictions Firewall rules / IP-based restrictions TDL customization (if needed, though prefer network- or OS-level solution) Security & Reliability: The solution should be robust and secure, preventing credential or device spoofing. Documentation: Need clear instructions on setup and ongoing maintenance. What I Need from You: Assess our current AWS EC2 + VPN + Tally setup. Propose and implement a method to lock down Tally access by device for each user. Ensure any changes (firewall, certificate, RDP gateway, etc.) are well-documented. Provide a short training or handover so we can manage user/device changes in the future. Prefer VPN certificate/device binding to restrict device access.