The policy applies to "client" endpoints, PowerShell is not such. You can however create/assign a custom role to any users you want to be able to create Groups via PowerShell. For example, the "Mail Recipients" role already has the New-UnifiedGroup cmdlet.
Best Response confirmed by
Massimo Prota (Occasional Contributor)
Thanks for your answer. Unfortunately this still won't let us achieving our requirement to control by applying it to a security group.
Add-AzureADDirectoryRoleMember : Error occurred while executing AddDirectoryRoleMember
Message: Role membership changes can only contain objects of the following types: 'ServicePrincipal,User'.
So we'll have to create an Application (service principal) and delegate the operations to it, or assign the permissions per-user.