Disable Login for certain users

Good day,
I have certain apps, for instance such as Joplin, that can use a WebDAV server for data synchronisation.
So I added on my Nextcloud server a dedicated user, say for Joplin, and created an App Password, as I have enforced 2FA Login on my Nextcloud for all users.
Now it works very well: for instance, the Joplin desktop application can login into my Nextcloud, using the App Password, and sync its data, without messing around with my normal user profile. It is very good.
However, I still can go to the web login form, and try to enter the user credentials of this particular user and try to log in. Of course it does not work, cause I did not configure the TOTP token with this user profile.

Is it somehow possible to have some sort of “Service Accounts”, that are not able to login via the web interface, and can only use an App Password? in other words, can I disable the login for a particular user?
I see it as a security flaw if this particular user can go to the login page, and enter his credentials. This particular user is really only needed for the Joplin desktop app and therefore shall only use the App password and nothing else. It shall also not be possible to share files with this user.

Is some configuration like this possible?