Restricting impersonation scope for the service account can be done by limiting it through distribution group. By following the cmdlets below you can restrict the service account to only impersonate the rooms within the distribution group.
For this to work, the service account will need to be added to the distribution group as the service account needs to be able to impersonate itself.
Please use the SMTP of the service account.
This is just one way of restricting the impersonation scope. For more references and if there is any issues please check with the documentation from Microsoft.
## Create a new distribution group with members
New-DistributionGroup -Name <name> -Members room1@domain.com,room2@domain.com,service-account@domain.com
## Attach $ADGroup to the distribution group you have created
$ADGroup = Get-DistributionGroup -Identity <name>
## Create a management scope that gets restricted to members of the distribution group
New-ManagementScope <scope-name> -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
## Create a service principle to grant permissions to Azure application
New-ServicePrincipal -AppId <Client Application ID in AAD> -ObjectId <Service principal object ID in AAD> -DisplayName <name>
## Create managementroleassignment with permission application impersonation that gets restricted to the managementscope
New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role "Application EWS.AccessAsApp" -App <Client Application ID in AAD> -CustomResourceScope "ResourceMailboxes"