Q. Is it possible to restrict users connecting via site-to-site or point-to-site to a specific virtual subnet in a virtual network?
A. There is no capability to specify a certain virtual subnet as the only target for communication from connections originating via site-to-site or point-to-site sources. However, what is possible is to leverage Network Security Groups (NSGs) as I described at http://windowsitpro.com/azure/network-security-groups-defined. Using NSGs it would be possible to create certain rules between virtual subnets and even specific hosts to control traffic flow which technically could block based on the source IP address for on-premises or the point-to-site address pool.