There is currently no provision to limit access to a single console as you desire. Work is in progress to address this in a future release with changes to vSphere/ESXi/etc. and VMRC.
We've had the same problem. The only way I've found around it is:
Create two roles:
Host Access > Don't tick any permissions, this is read only > Assign to AD Security group: VM_HostAccess > Assign this to the Host Cluster object
VM - Console Only > Tick the console access role permissions > Assign to AD Security groups for each VM > Assign this to each VM or VM Folder
Either make each user a member of the VM_HostAccess security group or make each of the per-VM security Groups a member of that group.
That grants the client the ability to connect to the Host, but not see anyone's VMs until they are a member of the second group.
Hope that makes sense!