@EnterpriseArchitect Thanks for posting your query here!
Yes, you can configure Azure policies to restrict certain operations at the resource management groups, subscriptions, resource groups, and resources. Please refer to know about the Scope. Also, there are few inbuilt policies. you can also restrict the permitted operating systems ( Operating system types/certain images). For that, please refer, Permitted Virtual Machines
Also, you can restrict access for the user at the subscription level, resource group level, and resource level. Please refer, Assign Azure roles using the Azure portal for the same.
Kindly let us know if the above helps or you need further assistance on this issue.
---------------------------------------------------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.