With a limited budget and the scenario you posted I would do this one of two ways. It is not ideal but will get the job done.
A) Three servers. 1- Domain controller, 1- RDP server, 1-RDP Gateway. Everyone who has to connect inside and outside of the network needs their own account on the domain. Through NTFS permissions you can restrict access to resources like file shares and other computers.
B) Two servers. 1- Domain Controller, 1-RDP Server, VPN Access
What do you have for VPN? Does your VPN appliance support RADIUS authentication?
RDP gateway is just a role that Windows server can do. Windows servers have roles and features.
If you want to start restricting access to resources it's time for a domain and a domain will be needed if your company grows. You will use NTFS permission and group policies to restrict access to resources. This is throwing security out the window having three separate companies access the same resources but I doubt your budget allows for anything else.
If you're like me you like to talk to things. I'm Gary Busey!!