The simplest way would be to create forwarding rules in the firewall that don't permit the VPN subnets to talk to anything but the 192.168.1.0/24 network. Alternatively, you could create a separate routing mark for the VPN traffic and it would be isolated to that routing table.
Something kind of like this..you can adjust and bypass as needed
/ip firewall filter
add action=drop chain=forward dst-address=192.168.22.0/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.22.0/24
add action=accept chain=forward