How can I enable RDP over VPN only?
Solution 1:
Assuming you want to make that happen only from the outside (Internet), then simply do not allow RDP (3389) through the firewall. They would connect via the VPN, get an internal IP address, and then use the internal IP, or internal DNS, name of the server to connect.
Solution 2:
Just create a firewall rule to only accept RDP connections from whatever IP address range your VPN users get.