InTune allowing any user with license to enroll device in personally owned

Hio luvsql! It sounds like you have not configured any device platform restrictions. This is where you would configure policies that dictate which users can and cannot enroll personally owned devices.

Take a look at your policies under https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/deviceTypeEnrollmentRestrictions. You'll find four tabs in the top, allowing you to create restrictions per device platform (Android, Windows, macOS, iOS). 

There will already be a restriction with "Default" priority, assigned to "All users" . This one is always active and will be applied unless a restriction with a higher priority overrules it. Kind of like a final "deny all" firewall rule, except that this one says "allow all".

You can create additional restrictions, with higher priorities for specific user groups. Inside such a restriction, you can also define if you want to allow enrollment of personally-owned devices.

In your specific case, you'll want to block this in the "Default" restriction and then allow it again, for specific users, in an additional restriction. Remember: this works per device platform, so make sure you create restrictions for all of them.

That should do the trick.