I've been reviewing older posts, 2 are linked below, which were answered 2-3 years ago, and thought I would pose the question again in case there have been any changes made on the Google side.
Reviewing their current documentation (https://developers.google.com/identity/protocols/oauth2/service-account) I'm wondering whether Google provides any ways to restrict or limit domain-wide delegation to a group or subset of users the same way you can restrict Impersonation for EWS (by creating a ManagementRoleAssignment) or Azure apps authorized via the Client Credential Flow (by creating an ApplicationAccessPolicy).
The goal here is to allow an admin to grant Google API access on behalf of users, without requiring individuals to navigate through their own Oauth flow, but to only enable this for a group or subset of users within the organization.
Restrict Domain wide delegation to specific mailboxes
Google Cloud & APIs- Is it possible to have limited domain-wide delegation?
