If you have a dedicated DMVPN router and want to apply a simple access list to the public interface to block all other traffic, this is what you need opened up:
permit esp any any
permit udp any eq isakmp any eq isakmp
and if you have NAT-T, then you also need:
permit udp any eq non500-isakmp any eq non500-isakmp
This is also assuming you have spokes connecting from unknown IP’s, if you have all static IP’s, you can further lock it down by restricting access to those IP’s only.