@Nathan Loika Thank you for reaching out to Microsoft Q&A. I understand that you have a Hub and Spoke setup with PS VPN Gateway on the Spoke Vnet and the Hub Vnet has the FW. The Hub and Spoke are connected via V2V Gateway. However, I am unable to understand your requirement. When you say you want to restrict all traffic from P2S VPN to only be able to reach Hub VM, do you mean that you do not want P2S client traffic to access the Spoke Network? In this case, can you setup the P2S VPN GW on the Hub itself?
Here is an example of the same: Manage secure access to resources in spoke VNets for User VPN clients with Network Diagram as shown below:
Please let me know. Thank you!