1. Create a local group TerminalAdmins and add users to it
2. Create the AdminTools directory on the C drive and place the NoRDP.cmd script in it Script
content:
@echo OFF
net localgroup TerminalAdmins | find /i "%username%"
if %ERRORLEVEL% == 0 goto admin
logoff.exe
exit
:admin
start /B explorer.exe
exit
3. Change group policy in gpedit.msc:
User Configuration -> Administrative Templates -> Windows Components -> Terminal Services -> Policy
Start a program on connection = Enabled
Program path and file name = C:\AdminTools\NoRDP.cmd
4. Run in CMD as Administrator: gpupdate /force
Or restart the server.
Now, when a user connects via RDP, the script will check if the user is a member of the TerminalAdmins group.
If the user is not included in the group, he will be immediately logged out.

Direct prohibition of RDP is not possible, since access to this service, as well as to full-fledged RDP, requires the same rights. But there are two workarounds (which I know, maybe there is something better):
1. Expose all applications through TS Web Access, removing the connection to the desktop itself from the list
2. Group policy (or otherwise) set for all shell users the file logoff.exe (or call logoff in other ways immediately after logging in) is full RDP, this will not apply to RApp.
Well, you can configure user rights so that getting on RDP will not bring additional vulnerabilities.