I'm uncertain if this is in the correct place, so please bear with me. 

We are currently in process of migrating our Exchange environment from On-Premise to Exchange 365.  Our developer team has an on premise application that uses EWS to read mailbox contents, then delete those messages.  We were able to create an application registration in Azure Active Directory, and are able to access our mailboxes in 365 through impersonation and read contents - Our application is using OAuth with certificate authentication (no login credentials), and we have granted our Application the Use Exchange Web Services with full access to all mailboxes rights.

The problem, however, is that we don't want this application to be able to access all mailboxes, only a specific set of mailboxes.  Currently it is able to access any mailbox.  My question is how can we properly secure this application to only be able to access mailboxes that we specify?  I've seen different suggestions on scoping and roles, but have not been able to find a definitive answer.   If we do not use OAuth, and use user credentials to log into EWS, we have a means of defining write scope in Exchange 365, which will limit that impersonation access.  I've been unable to find similar means when using OAuth with a certificate, and not using specific login credentials.

If anyone can provide some help or direction here, it would be greatly apprediated.  Please let me know if any additional details are required.