Hello, yes, in order to restrict access to Azure AD applications per customer/VM you will have to create a set of app registrations per each one and limit user access. In order to simplify management you may create an Azure AD Dynamic Group per customer/VM/app set and assign it to the application. E.g. you can create a group for customer #1 that dynamically builds its member list (using Dynamic rules) for users that are external and whose email end with @customer1.com
For external Azure AD users, you may create a multi-tenant apps. No suer should be allowed to login in the home tenant (where the app registrations are created), but once they get onboarded in a customer tenant, it will be the customer who will manage who has acccess their application instance.
Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.