Using a ConditionExpression in UpdateItem, without granting Write permission to the attribute used in the ConditionExpression

I have a DynamoDB database where I'm trying to lock down access to a table (MyTable) to only allow certain updates to be performed by certain users. So the table has items with attributes such as Name, Email, ItemStatus, PrivateAttr1, PrivateAttr2 etc. UserA is allowed to update the Name, Email etc. but not ItemStatus, PrivateAttr1, PrivateAttr2 etc.

To achieve this, UserA belongs to a group to which I have applied a number of IAM policies including one which allows "UpdateItem" with the following Condition:

"Condition": { "ForAllValues:StringEqualsIfExists": { "dynamodb:Attributes": [ "Name", "Email" ] } }

This all works correctly - I'm using the C++ SDK - and allows UserA to change ONLY the Name and Email attributes but without allowing them to update ItemStatus, Attr1 and Attr2.

What I want to do now is only allow this change based on a specific value of the "ItemStatus" attribute. But this particular user is not allowed to CHANGE the ItemStatus attribute. But I want them to be able to only update other attributes if the ItemStatus attribute (as set by another user) is a certain value (say 2). So I have added a ConditionExpression "ItemStatus = :status" and added a AttributeValue of (:status = 2). But instead of getting a failure along the lines of "Conditional Request failed", I am getting a permissions failure: "User: .../UserA is not authorized to perform: dynamodb:UpdateItem on resource: ....:table/MyTable"

It appears that in order to allow the UpdateItem expression to include a ConditionExpression based on the ItemStatus, I need to include ItemStatus in the "UpdateItem" IAM Policy - surely this is not the case, as it also allows UserA to be able to edit the ItemStatus, which I DON'T want to allow.

Thanks in advance for any pointers on how to achieve this!