Applying the ACL to the VTI directly seems most appropriate. A big reason to use VTI versus crypto map is so that you can treat it as any "normal" interface, so to me it just feels like the most intuitive and "clean" configuration, so to speak.
Also, agreed with /u/packet_whisperer, vpn-filter is an incredibly hacky feature. In addition to only being able to specify the single policy inbound, it's also a stateless filter. With vpn-filter you lose a lot of what makes a firewall a firewall.