Hi,
I think what you are trying to do is not possible via Azure Policy. It sounds like you want to have another RBAC/IAM mechanism on top of the built-in one by using Azure Policy.
What I wonder why you need because if a user has permissions on the resource group and he does not have permissions that allow role assignments (like built-in roles Owner or User Access Administrator) that user will not be able to do role assignments. By default, even on a higher level if the user is not with permissions like Owner or User Access Administrator, he/she will not be able to do role assignments. This means that what you are trying to achieve is already available via Azure RBAC/IAM and you do not need to do anything special besides giving the correct roles/permissions to the user who should do those actions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.