So I am not a 100% sure about the setup yet, but currently. If I read your setup correctly, you are expecting a client to not be able to connect if they dont have the group or network for the app you are trying to make it to.
In this case, people go to NPM and from NPM to VaultWarden, if so. Once a NetBird client reaches NPM it does not further evaluate the access as NPM is a reverse proxy.
What you might be looking into, is installing a reverse proxy on every machine. (NGINX) and making the server itself proxy the request, rather then using a machine to do it directly. Saving you the trouble of having another check inside of the app.