Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

The goal is to implement a control similar to an allowlist where only allowed external accounts can assume roles inside the org.

Here’s what I’ve tried:

• tried restricting the sts:assumerole action in an SCP, but this only works for roles inside the org. From my understanding, since the assumerole is started in the external account, the restriction doesn’t work
• I also looked into restricting the iam:UpdateAssumerolePolicy action in an SCP to see if a restriction for the action can be implemented where users can only specify certain AWS principals in a trust policy, but there is no condition like this for this action

Is using an SCP the right way to do this? Can this be done with an SCP?

I understand IAM access analyzer can be used to alert on when external roles assume roles inside the organization, but that’s more of a reactive control, and we would like to implement a more proactive control where we specify exactly what external accounts are able to assume roles inside the org.