VPNs and ZTNA differ fundamentally in their approach:
VPN gives you network access. Once connected, you can probe any reachable IP. Attackers who compromise a VPN user can scan internally.
ZTNA gives you application access. You see only applications you're authorized to use. Nothing else exists from your perspective.
VPN trusts authenticated users on the network. ZTNA verifies continuously with every request.
VPN requires backhauling traffic through data centers. ZTNA connects through distributed points of presence closer to users and applications.