Prevent role request/assignment to sub-identity

Hi all,

we want to prevent a role request / assignment to a specific sub-identity.

Some user do have two different Accounts in AD (therefor one additional sub-identity) and we want to block the role assignment to the sub-identity.

Initially, we wanted to do this with a SoD / Identity Audit rule, but I couldn't not figure out the specific role.

Creating an IT shop sounds exaggerate.

Is there a best practice how to do this?