If I understand correctly, you want a way to mark tunneled VPN traffic as "external" so that the Cortex XDR-Managed Windows Firewall can scrutinize the traffic. If that is accurate, I would recommend disabling the Network Location Configuration setting in the Agent Settings Profile for your target endpoint(s). You can do this by going to Endpoints > Profiles, Editing your target profile, and then disabling the Network Location Configuration item as shown below.
Once completed, all traffic will be considered External as there will no longer be tests to evaluate positioning. Please let me know how this works for you.
PS: As an alternative, you can also configure the Network Location Configuration to test for an IP or Domain that you know will fail over the VPN tunnel. However, this would require more advanced knowledge of the network configuration.