Prevent users from uploading files when they are on external networks
You can configure a Always On VPN on your VPN server. With this you will be able to force users to connect to internet thru your network with your firewall rules.
Configuring conditional access would be the golden bullet. I linked to the Azure documentation, but on premise you could reach the same by configuring your firewall, allowing all the internal networks, except the VPN services.