As far as I know you can't do that per default. A way to  handle it is by using 2-factor authentication. (For example with SMS Codes). Users that are not registered by the SMS-Gateway/SMS-Provider can't login as they never receive a SMS-Code.

To expand TomMar's reply a bit:

You'd need to set up at least 2 pools and decide which one will be accessible from external networks. Let's say PoolA accessible internally only, PoolB accessible internally and from outside.

Then set up at least 2 connection servers and decide which one will serve the external connections. F.x. CS1 works internally only, CS2 accessible from external networks (paired up with Security Server likely)

Then use restricted entitlements to control can use what: Restricting View Desktop Access

Create 2 tags, f.x. "internal only" and "unrestricted". You will apply those tags on your connection servers and pools. To put it simple, the connection will be allowed through only if the tags match.

Apply "internal only" tag to your PoolA, and "unrestricted" to PoolB

Then apply both tags to your internal connection server CS1, since all users might want to connect from corporate networks. And apply only "unrestricted" tag to CS2. Thus if someone attempts to use PoolA via CS2 (from external networks) the connection will not be allowed through since CS2 only has the "unrestricted" tag, however PoolA has "internal-only" tag - mismatch, deny.

Hope this makes sense