Hi @IT Matt R,
Thank you for posting in this community.
Yes, you can use a mixture of Conditional Access Policy and MS Purview sensitivity labels to prevent them contractor accessing any other SharePoint site. Just use the label created by MS Purview when setting up the authentication context.
You can follow this article to plan your conditional access policy:
Plan a Conditional Access deployment.
You can follow this article to set a sensitivity label to apply the authentication context to labeled sites:
Conditional access policy for SharePoint sites and OneDrive
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.