To fully enforce this, you will need Device Owner permission. Any user can go to Settings -> Network, and disable the VPN, and can re-enable the network permission for each app.
Other users cannot enable or disable Mobile Data, but they can enable and disable WiFi, so disabling Mobile Data is not a good solution.
A not-full-proof solution is to set the Private DNS to a bad URL, e.g. example.com. That URL does not provide DNS, so DNS resolution will fail, and the other User cannot change it. However, a User can bypass it by configuring a VPN app.
https://github.com/BinTianqi/OwnDroid can do it. You can do a lot more than disabling Network Permissions for an entire Profile with it, but this is one of the capabilities.
However, enabling Device Owner requires to have no User + Work + Private Profiles and no Accounts on your phone (or temporarily disable apps that manage these accounts, basically Settings -> Passwords, passkeys and accounts needs to be empty).
You can re-add Accounts (or re-enable the disabled apps) after enabling Device Owner.
Having a Device Owner also comes with some restrictions: your main Owner profile will not be able to use Private Space anymore (other Profiles will be able to), and no Profile will be able to setup a Work Profile anymore.
Lastly, the system Backup service (Seedvault) might get disabled by default, but OwnDroid lets you re-enable it (System -> Options -> Backup service).
I suggest looking into https://github.com/aistra0528/Hail as well for other Device Owner uses. The Device Owner permission will need to be given instead to https://github.com/iamr0s/Dhizuku, which is basically an app that allows any other compatible app (Hail + OwnDroid) to both use Device Owner capabilities through it, so that you are not limited to a single app having Device Owner capabilities.