IAM policy to restrict access to one VPC

You most likely need to recompose your IAM Policy along the lines of Example 5. Launching instances into a specific VPC within Controlling Access to Amazon VPC Resources:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:region:account:subnet/*",
        "Condition": {
         "StringEquals": {
            "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-1a2b3c4d"
            }
      }
   },
   ...
   ]
}

That is, the available resources (and their granularity) are specific to each API action, so for the example at hand RunInstances applies to EC2 resources in a specific subnet, and that in turn is part of a VPC; accordingly you need to target the subnets but can further constrain the set of possible subnets by means of their ec2:Vpc attribute via IAM Policy Conditions as outlined above.