cloudHSM : Does the default ssl key and certificate can be disable at the cloudHSM side?

I read https://repost.aws/questions/QUBJM3pwf7Qa2mwCnKRkW97A/cloudhsmv2-force-tls-client-server-mutual-authentication-or-disable-default-key-on-hsm

and https://repost.aws/knowledge-center/cloudhsm-certificate-encrypted

Using my own produced ssl key and cert (instead of the default one) create a better secure (encrypted) communication between the client and the cloudHSM.

Though this cannot be used to restrict access to cloudHSM from a specific client machine because the default key and cert can always be used from any other machine (along with the root CA).

Is that correct ???

How an access to HSM cluster can be restricted for a specific machine regardless the AWS infrastructure like security groups and private subnet... ? put aside the hsm credentials.