Those rules are used only for the registration phase. Once the device has registered into Azure AD, it no longer contacts ADFS.
So I am not sure how a GPO would be relevant in this scheme (unless you mean a GPO with a WMI filter tha would apply only to 1909 and higher?).
That said, you could control the issuance of the token you need for registration (and add conditions...). But the point would be very limited. And if the machine cannot get a token from ADFS, they will fallback into Synchronized Mode (so they would end up being registered anyways as long as the respective computer is in scope of the synchronization).
I am curious to know why it matters anyways. What is the issue with lower Windows 10 version being Hybrid Azure AD Joined?