Can you clarify you question here? Are you trying to block specific EXEs or all EXEs?
All EXEs are ultimately portable so not sure exactly what that caveat means in your question although I assume you mean portable applications. If so, there's nothing unique about these EXEs; they just aren't formally "installed" and thus there is no way to only block EXEs associated with a "portable" application as this isn't a formal, technical construct that can be evaluated. Basically, all EXEs are created equally so there's no way to distinguish those associated with a "portable" app from those associated with an "installed" app.
If you have a list of specific EXEs that you want to block, then you can use either AppLocker or App Control.
References:
- https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune