Can the address be the address assigned to the them in the /ppp /secrets local-address? So when those credentials are used they always get the same IP that I can use in FW filter rules?
I am assuming that "Incoming connection requests from the IP address" refers to the contractors WAN IP address they are coming in from.
The address on the peer is the public one from (from behind) which the contractor will be connecting; if the contractor is a road warrior, this whole approach will not work.
As for firewall handling of the contractor, there is plenty of possibilities: you can set a specific remote-address in the contractor's /ppp secret item, or you can make that item refer to a dedicated /ppp profile which can add the address assigned to his end of the L2TP tunnel to an address-list, or add the name of the dynamically added local L2TP tunnel interface as a member to an interface-list, or can add a jump to a dedicated firewall chain to a firewall filter chain named ppp. I'll add a link to a recent topic describing this latter variant once I get to PC.
Also - I assume the /ip ipsec identity colleagues should have a secret in the example provided?
The copy command is actually a copy-with-few-changes one. So if you execute them in the exact form I gave, the secret for colleagues will be inherited from the one you've configured previously on the /service l2tp-server server, which RouterOS has used to dynamically generate the /ip ipsec identity from which you copy it to the static one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.