@Walker Chong Kindly note that "Not allowed resource types" built-in policy enables you to specify the resource types that your organization cannot deploy. When creating or updating a matched resource in a Resource Manager mode, deny prevents the request before being sent to the Resource Provider. The request is returned as a 403 (Forbidden). In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy assignment. For a Resource Provider mode, the resource provider manages the evaluation of the resource.
During evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant.
For your requirement, you will be able to create new virtual machine with existing virtual network.However, you will be able to create a new virtual network within the scope mentioned in the Azure Policy.
@Walker Chong Did you get chance to look into my previous comment? Kindly revert if you have further questions.