Hi! I have the exact same requirement and blocking problem. I just opened another topic here on it: Vault PKI role to limit CN/SANs to requesting user's identity
Did you ever find a solution/workaround? Even with domain templating it appears it’s impossible to actually limit PKI issuing to a user’s identity when using email