Configure an access list to permit the VPN source network range (the IP ranges assigned to the client) to access the workstation over VNC
access-list VNC-Only extended permit tcp object-group VPN-Subnets object-group Mac-Workstation eq 5900.
Assign this to the access-policy:
dynamic-access-policy-record DfltAccessPolicy
network-acl VNC-Only
This will match all VPN traffic though - so maybe you'd want to create a new dynamic access policy to match on the AAA attribute cisco.grouppolicy = (name of shared VPN group).
(You will need to open more ports than just 5900 - so do it as a range, and obviously create the object group to match your requirements).