On an AD user object if you are configuring the "Log On To..." restrictions the name is misleading. This is not just what computers that account can log on to, but also where it can do it from.
EG: You have a restricted account, say your domain admin account. And you want to restrict it so that account can only log onto your domain controller DC1. In the Log On To... setting of your domain admin account you need to list both DC1 and the computer you will be launching RDP from to connect to DC1.
TLDR: List both your to and from computers in the Logon Workstations list