I would highly recommend against the use of vpn-filter at this time. I attempted it on several versions of 7.2.1 and 7.2.2, even an engineering release given by tac which was supposed to work. I was able to get it to function, but at random times, the asa would begin to block all traffic on the tunnels.
I ended up doing away with "sysopt connection permit-ipsec" and using my regular interface acls for ipsec traffic filtering.
The direction of the acl is a little tricky. After much testing, I was able to determine that acl is "in outside interface". But the tricky part is it is not stateful! If you allow the traffic out from the inside, you must specifically allow the return traffic back in. It's kind of like writing an acl in a switch.
You should be able to restrict traffic from outside, make sure you apply the filter to group policy and then tear down the tunnel. If you dont tear it down and bring it back up, the changes won't be in effect.