You do not need any other NSX function such as VXLAN logical switching or logical routing (NSX DLR, NSX Edge) to be able to use NSX for vShield Endpoint.
In fact, you would not be able to use them if you are not purchasing NSX and only on NSX vShield Endpoint license
FAQ: Implementation of vShield Endpoint beyond EOA of vCNS (2110078) | VMware KB
NSX 6.2.4 and later enables you to manage vShield Endpoint from NSX Manager.
The license that comes embedded in NSX Manager 6.2.4 and later includes an unlimited capacity NSX for vShield Endpoint license key. To ensure you do not use any other unlicensed NSX features (for example VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation.
With the release of NSX 6.2.4, if you purchased vSphere with vShield Endpoint (Essential Plus and later), you can download NSX. This means that NSX will appear on the vSphere download site, similar to vCNS.
For vSphere Standard Switch (vSS), I believe you can technically use vSS
Use Agent VM settings for deploying Guest Introspection (GI) or Service VM (for example Trend Micro Deep Security Virtual Appliance/DSVA)



However, in the documentation it says that both Service VM and workload VMs only supported on vSphere Distributed Switch (vDS)

NSX and vSphere Distributed Switches
NSX services are not supported on vSphere Standard Switch. VM workloads must be connected to vSphere Distributed Switches to use NSX services and features.
NSX & vSphere Standard Switch Compatibility · vrandom
it does work, but isn’t supported by VMware, so obviously shouldn’t be utilized in production environments.
You may want to check with VMware Support (GSS) or at least VMware employee to confirm this