A hypothetical AppID Tagging Policy that ConvertFrom-CIPolicy will successfully convert into binary form. Note: at the time of committing this, I have no idea what the purpose of an "AppID Tagging Policy" is.

AppIDTaggingPolicy.xml

<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="AppID Tagging Policy">
  <VersionEx>1.0.0.0</VersionEx>
  <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
  <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
  </Rules>
  <!--EKUS-->
  <EKUs />
  <!--File Rules-->
  <FileRules />
  <!--Signers-->
  <Signers />
  <!--Driver Signing Scenarios-->
  <SigningScenarios>
    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS">
      <ProductSigners />
      <AppIDTags EnforceDLL="true">
        <AppIDTag Key="foo" Value="bar"/>
        <AppIDTag Key="one" Value="two"/>
      </AppIDTags>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners />
  <Settings />
</SiPolicy>

Releasing a post on this soon - msft are using it for binary-level tenant restrictions (via mpssvc.dll)

Looking forward to it, @pl4nty! When the post is public, if you think of it, please post the link to it here. Thanks!

@mattifestation wasn't exactly soon, and left out lots of the reverse engineering, but I hope you enjoy :)
The WinHTTP/WinINet options and firewall rule definitions look interesting for further research. But I'm going to focus on some Intune+WDAC writeups for now.
https://tplant.com.au/blog/tenant-restrictions-v2/part-2/

Fantastic writeup, @pl4nty! Thank you for digging in to this and for following up.