Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.
Update1:
Thanks for you time and patience. At this point in time we don't have any sample custom policy to replicate above scenario. However you may use Smart Lockout to block user for some time if the incorrect password is entered multiple times.
Entering the same, or similar password repeatedly doesn't count as multiple unsuccessful logins.
I would recommend to keep the Lockout duration for atleast 1 min (60 seconds).
For ideal testing scenario kindly try : https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management#testing-smart-lockout.
Thanks,
Akshay Kaushik