If it's a user-owned laptop, not a company asset, this isn't going to be possible.

If it's a company owned asset, you can have the laptop be part of the domain. Depending on the type of VPN, when that VPN connection is made, the laptop will see the DC. And that means if they're using their domain user credentials to connect, the laptop will authenticate on the domain and the user will validate. Then the user should be able to connect via Windows authentication normally. The catch is to allow traffic to the DCs (and to use internal DNS on the VPN configuration so the laptop can locate the DCs).

My work laptop used to be set up this way when I used VPN. And since the paths to the DCs and DNS were mapped properly, I was able to authenticate properly against servers.