Is it possible to block web traffic (access to external sites) from AppStream Instance?

AppStream by default does not manage or control the network route the user accesses. However, customers can specify security groups to apply to the ENIs that AppStream creates/uses. There are on-instances ways of managing network access, but they're usually able to be circumvented and not easy to manage. If the customer has a well-known set of endpoints the user needs to connect to, the better approach would be to use network security groups to whitelist only those endpoints. That way the instance via network can only access them.

Another approach would be to use a proxy server, which many enterprises use, to control access to the internet.