The problem with AnyDesk is that TLS scanning doesn't work with the connection made to their relay servers (which join the client to the host), so the connection fails.
Exempting URL's doesn't work because the connection is made by IP, not URL. There is a 3 year old post (https://community.sophos.com/xg-firewall/f/discussions/101061/anydesk-not-working) that suggests utilising the Category 'IP address' as a basis for exemption. I think this is a poor solution as it will then allow any direct IP connection, not just the AnyDesk ones.
AnyDesk don't publish a list of their relay servers (presumably because they change over time) but they do have URLs (they just don't use the URL to make the connection). They are all of the format *.net.anydesk.com, e.g. relay-5f045e20.net.anydesk.com
Using a site to retrieve all the A records (I used https://hackertarget.com/find-dns-host-records/) I got a list of all the relay servers, 387 currently, I then put this in an IP list and used that list to exclude the IPs from TLS inspection and AnyDesk works with no issues.
For those wishing to block AnyDesk, you can use this information to build a block list, although, if you are using TLS scanning, AnyDesk doesn't currently work anyway! Maybe Sophos will fix this in a future release (I'm currently using 18.0.3 MR-3).
The list of relay servers will probably change over time, in which case you can use this info to create a new list or just add any new IPs as they crop up (you should be able to find them in the 'SSL/TLS inspection' part of the log viewer).
For those too lazy 
to build their own list, the current list is:
Quote