Your clients shouldn't need to bind to an address to , so bindacqaddress is not needed there.. Are the ntp clients you are migrating from configured to work as peers on the network? The peer Setting in chrony works a bit differently than with ntpd... probably worth digging into the chrony faq and documentation regarding things.
If it is not possible to avoid configuring servers that might be routed through the VPN, then iptables, is probably best. If the iptables set up is simple ( or completely open :-o) adding the following rule should chrony from using the tun.
-I OUTPUT -o tun0 -p udp -m udp --dport 123 -j REJECT -m comment --comment "no ntp out to tun0"
"-I" instead of "-A" to insert it before a possible rule that might allow everything outbound.) The exact rule depends on how iptables is set up in your system, there are many ways to do it, but it should work.
If your tun0 routes ipv6 also, then the same for your ip6tables,
As Bill mentioned, "chronyc" can be used to change settings without restarting. It can be used from the command line or as a cli similar to "ntpq".