@Heimdallr, Thanks for posting in Q&A.
For the Hyper-v VM, based on my researching, I didn't find the bluetooth can share with the VM. For USB devices, it can only share in RDP/Enhanced session. To double confirm on this, you can contact Hyper-V support.
https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/enhanced-session-mode
To test on the policy, I think it is better to find one physical machine. For your questions, here are my answers for your reference:
Q1: Create a policy that will block all USB usage, but this also raised another question - How to give USB access to certain people? for example service desk, and only to them, while block it for rest.
A1: You can try the "Excluded groups" and select the service desk grou to exclude fromt he policy.
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign
Q2: Make sure that bluetooth will allow ONLY day to day devices like headset, mouse - No type of storage or anything that could mess with the system.
A2: You can check if "Bluetooth allowed services" can meet your request.
https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#bluetooth
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.