Hello
According with this document, per tunnel QOS is supported only on FTD software :
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html#anc19
But if you have a look to this document, it seems possible to apply a per flow policing on tunnel group.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html#anc11
It doesn't seem supported on SSL client tunnel :
https://tools.cisco.com/bugsearch/bug/CSCsl73211/?reffering_site=dumpcr
This other document seems to confirm that it is applied per flow :
"The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. " :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_match_e-match_q.html#wp2222732868
As each Anyconnect client has its own IP address, it seems that downstream traffic from headend could be rate limited per client this way.
Note that it seems that there is limitation on tunnel with webvpn attributes as it does not support policing.So if it works, it would be only on IKEv2 client tunnel.
Moreover, policing is not supported on clientless VPN :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/webvpn-overview.html?bookSearch=true#ID-2278-00000020
I did not try any of these configuration. Not sure it works.
Hope this helps