Hello,
First of you deploy a portal (Webtop) with "SAML Ressources", it will allow you to call your application from your Portal (IDP Initiated). So now you want to manage this SAML ressources as Portal Access in order to hide you SAML App name behind Portal APM hostname.
I really do not think it's possible. I do not see technically how to do it natively.
Additional when your saml response will be send to your IDP the IDP will answer to App hostname and not Portal hostname it will be a confusion. More your Portal VPE will not consume ACS...
Why do you want to deploy this kind of archi?
Regards,