I understand now. MDFC is a subscription-level service. Most of the settings cannot be scoped or excluded on specific resources. In this example, you want to limit MDE onboarding to a single VM. I recommend leaving this turned off in MDFC. You can onboard individual servers and devices using MDE's own onboarding tools. That option was added for scenarios like this.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-windows-server