@ChrisK Thanks for reaching out.
To get a certificate via NDES, NDEs verify the request using a challenge response method. The Intune Connector helps to get the challenge and deliver that challenge to the mobile devices using Intune service. (In Intune you will actually deploy a SCEP profile to devices)
So when the devices reach out to the NDES via this URL, they already have a challenge which is known to NDES Service and gets verified during the process.
Any other random device/service wont be able to get that challenge and hence cannot proceed further even if they have the URL.
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.