Enforce cert auth method for specific roles only

Looking to configure policy allowing certificate request signing only for clients with a validate certificate where a custom OID is inserted in the Extended Key Usage section of the certificate.

Here Vault PKI has a Subca signing cert but did not originally provide the client cert. In this case Vault PKI has the trust chain of the signer that did sign the original client cert.

I’ve only scene documentation on “tls_require_and_verify_client_cert” and I don’t want this enabled globally. Appreciate some pointers towards updated documentation. Thanks!