In testing we see that app control is not currently able to block Nord VPN due to the dynamic nature of Nord's VPN services used.
The domain Nord VPN uses to connect via SSL is randomized so it makes blocking the TLS client hello more difficult. If DPI SSL is enabled the connection will fail but this is due to certificate pinning. Additionally the Nordlynx signature is not currently a part of App Control which rides on UDP port 51820.
Create a DENY policy for UDP port 51820. In lab testing the VPN will not connect if access to this port is denied.