There’s a built-in network toggle for applications (in their respective App Info / Permissions page) in GrapheneOS. So, if you’re on Graphene, it’s a piece of cake.
As for the “using app over a VPN” thing, you can just turn on “Always-on VPN” and “Block connections without VPN” toggles in Settings / Network and Internet / VPN / <Your-VPN-Settings>.
There’s a built-in network toggle for applications (in their respective App Info / Permissions page) in GrapheneOS. So, if you’re on Graphene, it’s a piece of cake.
Else, you might want to look into NetGuard (https://f-droid.org/packages/eu.faircode.netguard/), which offers app-wise internet blocking.
As for the “using app over a VPN” thing, you can just turn on “Always-on VPN” and “Block connections without VPN” toggles in Settings / Network and Internet / VPN / <Your-VPN-Settings>.