To be able to restrict the access at tenant/folder level, you need to ensure to not define those scopes at org/tenant level from under external app registration. Instead, you just need to create external application with no scopes or the minimum possible scop and rest of the scope define at folder level.
Currently, its working for all folders in your case because you have defined that scope at org level so its applicable to all tenants and folders within. Follow the first article below to gain better understanding on how this works.
Please refer below docs for same, should help you.