One way you could possibly do this is by provisioning the NLB and its EC2 in a separate private subnet reserved just for them, and ensuring your routing rules do not allow other subnets in the VPC to route to the segregated private subnet.

You can put EC2 on the NAT subnet, and then point to this EC2 through NLB. This way, although your EC2 security group is set to 0.0.0.0/0, only NLB can access it.

As in the AWS NLB Document - Target Security Groups, cannot identify a NLB and make sure the access is only from the NLB if target type is instance. Need to use the client IP address which accesses the NLB.

Limits
Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.

You cannot allow traffic from clients to targets through the load balancer using the security groups for the clients in the security groups for the targets. Use the client CIDR blocks in the target security groups instead.

Place the EC2 machines in private subnets, if they need to access internet set the route table for destination 0.0.0.0/0 to nat gateway id. So EC2 machines can access the internet via nat but no one can access your ec2 instances from outside of the vpc.

Then you can set inbound rules for your EC2 instances even for 0.0.0.0/0. Again no one (outside of the vpc) can directly access your EC2 instances since they are private subnet. If you set a NLB and attach EC2 instances on it, only connections (according to your NLB listeners rule) are allowed to instances.