Do you control the connection string the application uses? If yes, are the users in the group prevented from seeing the connection string either due to the architecture or the fact that the information is compiled into the app or in an encrypted config file? If yes again then you could add an application name to the connection string and setup a login trigger to deny logins unless the application name were what the application had setup in its connection string. This is technically only an obfuscation, not security, but it could tighten things up a little.

Hosting the app in a virtual desktop environment, preventing the use of client tools in that environment, and locking down access to the instance using network segmentation is a complete solution.