So you can't obviously block TCP/443 as you will not have access to anything else on the web, but you can block the popular UDP/1194 VPN port that Nord uses. Without it, there will no successful connection.
CyberGhost VPN on the other hand uses 5443/TCP, so blocking that traffic, will cut off access to any of its servers.
Check with the VPN provider and close the gate that way.
Also, you could use Network Center > Traffic Control > Monitor option to monitor accessed domains in real time for a particular machine (or review it from the past logs), and add the domain to a blocked web filter. That way you might also catch what VPN provider is being used in order to authenticate to it, and just block its root domain access. Without that, the person will not be able to pass authentication even if the traffic is being run on some alternative VPN port other than 1194.
Reading the rule it looked to be checking for source IP, so it might be only applied to inbound requests from TOR but maybe it will be applied to returned packets from outbound requests… I don’t know.
SRM 1.3 includes the ability to block internal requests to DNS over HTTPS services, while retaining the ability for itself. This enables Safe Access to continue to be used for DNS over UDP/TCP and so apply web filtering Using the default 18 categories plus allowed/denied sites.
You can have firewall rules that block outbound access to TCP/UDP ports, or limited to an only the standard ports. That won’t stop access to proxies or VPN services using standard ports but would at least limit the access a bit.