what is the difference between using the managed apps and user installed apps?
At a technical level, nothing. Apps in the "work profile" are exactly as implied, managed by the org and can have their data wiped and are subject to APP policies. Apps in the "personal profile" are not. Thus, this is mainly a privacy and control mechanism.
how to restrict users to access O365 resources by Managed apps only?
Conditional access accounts for the different profiles so as long as the CA profile requires the device to be managed, then only apps in the "work profile" will meet this criterion. In many (but not all) respects, it's almost like have two separate devices.