Firstly, the unmanaged app is an app that doesn’t have Intune app protection policies applied to it.
https://video2.skills-academy.com/zh-cn/mem/intune/apps/app-protection-policy
After that, we can check which app has been targeted in app protection policy, as below sample: Outlook and Word apps are the policy managed apps:
In addition, only for apps have been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. There is the official list of Microsoft Intune protected apps that has been built using these tools and are available for public use.
For your request that to lock down the ability for users to connect to our O365 resources from only our defined Intune managed applications, which have an application protection policy assigned so we can ensure our data is protected. How about selecting multiple controls in Conditional access policies: Require device to be marked as compliant, Require approved client app and Require app protection policy (Preview)?