I want to do allow 3389 port(RDP) only through VPN connection, not normally. How can I do this?

I have configured VPN server in Mikrotik. I have blocked all traffic except http and https by firewall filter. I allowed 3389 by filter rule and right now other systems(outside of our network) able to do RDP to our intranet systems regardless of VPN. I mean Laptop(client outside of our network) can able to do RDP with/without VPN client. I need client should connect to VPN server of Mikrotik then do RDP to intranet system otherwise disconnect.

How do I block other RDP connection except RDP over VPN?

NAT supersedes Firewall so you need to stop NATing 3389.