How to configure Windows Defender Firewall for ssh-tunneled VNC service

I have to confess, I am a bit unfamiliar with the Windows Defender Firewall. I am used to firewalls that pass, block or reject traffic on specific interfaces using specific Level 4 transport protocols (TCP, UDP, ICMP, etc.) and specific ports at the Application Layer (22 for ssh, 445 for SMB, 143 for IMAP and 993 for IMAPS, etc.). It seems to me that the Windows Defender Firewall approaches traffic as belonging to specific apps transmitting or receiving network traffic. This is why I am looking for help with setting it up correctly for my purpose.

That purpose is to provide VNC remote access to a Windows host. A Mac or Linux host with their built-in VNC client software is to make the connection I am planning to use the TightVNC server for Windows for that (it uses inbound Port 5900). Because there is no VNCS protocol at this point and the password in the implementation only allows for an 8-character encrypted with a 56-bit DES key algorithm. This is no longer considered secure.

The solution is to run the VNC connection through an ssh tunnel initiated by the client first, which takes local traffic on Port 5900 through the ssh tunnel (fully and securely encrypted) on Port 22 to the Windows host. The Windows host runs an ssh server (instructions at the Windows OS Hub), which takes the decrypted VNC packets and re-presents them to the local TightVNC server on Port 5900.

The Windows Defender Firewall must permit inbound ssh connections (again TPC on Port 22) to the sshd service, but disallow direct VNC connections on Port 5900 from any source besides localhost. How do I configure this?