I wouldn't recommend using the control plane ACL and honestly saw it in use very rarely. The firewall will only listen to the ports of the services it has enabled as already mentioned and because of the nature of the remote access VPN you wouldn't be able to be sophisticated in saying allow these sources etc, and I think AnyConnect would only use the 443/udp if it is allowed, if not it will keep using the 443/tcp port. For example if you are in a cafe' and there is a firewall blocking any outbound traffic with the exception for port 80/tcp and 443/tcp, AnyConnect in this case will still working using port 443/tcp.
One thing is unfortunately missing on the ASA/FTD is the country-based block of the traffic destined to itself. On some other vendors firewalls you can block the traffic per countries, and you can also shut down the remote access VPN portal, last time I looked into this the FTD was not providing any support to shut down AnyConnect portal. Please take a look at this post of mine if you should be interested in applying the per country-based policies on the traffic passing-through the firewall:
Using the Firepower geolocation | Blue Network Security (bluenetsec.com)
