How to Enforce User-Based Resource Isolation in Amazon SageMaker Studio with ADFS Authentication?

I'm configuring Amazon SageMaker Studio and aim to implement user-based resource isolation. Specifically, I want each ADFS-authenticated user to only access their corresponding Amazon SageMaker user profile.

Context:
I plan to use the UPN Claim Type from ADFS as the identifier. For example, ADFS would pass bob.smith@acme.com as the UPN Claim Type.

Approach:
I'm thinking of using IAM policy conditions to compare this UPN claim to a custom tag set on the Amazon SageMaker user profile:

• Tag key = upn
• Tag value = bob.smith@acme.com

By doing this, the IAM policy could enforce that only users with a matching UPN Claim Type can access that profile.

Additional Restrictions:
I also aim to restrict users from editing the upn tag on their SageMaker user profiles. This ensures the tag can only be set or modified by admin users.

Questions:

1. Is there a more efficient or straightforward way to accomplish user-based resource isolation with ADFS in SageMaker Studio?
2. Can someone share a sample IAM policy that accomplishes this, especially the part that restricts tag editing?
3. Would the condition to enforce this in the IAM policy look something like this?

   "Condition": {
       "StringEquals": {
           "sagemaker:ResourceTag/upn": "${aws:PrincipalTag/upn}"
       }
   }