I've tried setting to use the inside interface but that on it's own didn't help. 

When you say to configure the inside interface for management access do you mean the http and ssh commands and then allow the IP of the device which is connecting?

for management-access I will check the equivalent command in FPR 
for INside interface, are the INside interface subnet represent your Local LAN of Policy based VPN?
sorry one more thing are the Server subnet config as Remote LAN for policy based VPN?

The inside interface we have 10.10.10.0/24 and remote LAN is 10.10.8.0/23 and these are used as traffic selectors on the VPN. The VPN itself all works ok and can be reached from clients connected to the inside interface.

please check below comment 

Thanks. I have given that a try but in flexconfig it says it's a blacklisted command.

blacklisted cli error management-access inside

if it blacklisted then it add to FMC, what FMC ver. you use?

Thank you. I've had a look at the bug but it seems to be saying that the change is for the ASA end and the traffic leaves the Firepower side fine however in our case it doesn't leave the Firepower side from what I can tell. I had a look at a possible implementation anyway however as FDM writes the ACL's for the traffic selectors it's not possible to modify these in FDM or via SSH/FlexConfig.

We're not currently using FMC and are just using FDM instead. I've been having a look to see if there is a way around the blacklist command as well but it appears it's not just browser validation but the commands are submitted in a post to an API on the box and that message is returned so no way to override it.

I did also find something which suggested on the management access in FDM configuring the data interfaces could be the source of the problem and our inside interface was wrong there however unfortunately that didn't change the result of our problem.

Looking at packet tracer it seems that the Firepower doesn't know how to reach the network the NPS is on so tries to send it out the outside interface instead. 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 91.X.X.X using egress ifc outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

I share the bug workaround it not necessary that you face similar symptom, 
did you try workaround? 

It's not possible as you can't modify the traffic selector ACL used for the VPN as it's system generated on the FDM. Even looking at it through the CLI it's not an ACL that's as straight forward as the former ACL ones are and I don't believe it can be modified in flexconfig either.

Looking into this further it does seem the only way to resolve is the management-access inside command however I looked into this being blacklisted and it appears it's only until version 6.5 and we're on 6.4 still. The thread below is what led me to this:

https://community.cisco.com/t5/vpn/not-able-to-ssh-asa-inside-interfacec-through-vpn-tunnel-while/td-p/4097133

I'll try upgrading it tonight and see if the command then works.

Just to confirm updating the version worked and I could then add the "management-access inside" command and after doing so everything worked.