I'm don't think you can do a posture check by MAC address. If you're using SSLVPN, and you're running Windows, you can do a Host Scan check for the following registry key:
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
Then set up a Pre-Login policy that goes Windows->Registry Check->Success->RegCheckOK
|->Fail->RegCheckFail
At this point you've just verified that you can read that key and the value is stored for later use. You're not making an allow/deny decision yet.
Then in your Dynamic Access policy you do a Policy check for Location=RegCheckFail, that says "Unable to read registry". The following DAP policy check looks for Location=RegCheckOK, and validates that the value is your AD domain.
Alternatively, you could put a NAC box (ISE or Clean Access) 'behind/after' the VPN box, so although anyone can connect only domain machines (and/or whatever other posture checks you want to make, e.g. Antivirus status) make it through to the rest of the network.