I can't see any way this would work, the users would need a license applied for the tenant in which they are enrolling the device. Could they not use Group Tags and Scope tags to put it in the same tenant, but restrict control?

When a device try to join Azure AD you normally provide credentials to do that. Those credential will then give access (if the user is allowed to join devices to AAD) to join the device and it will seek informations to do so. I have not heard that you can do what you customers want.

If you remove the on prem sync part of the issue as this can be done but using 3rd party tooling not the inbuilt AAD sync to sync across multiple tenants

Then you can join it partly like that to get what you want. But it would make no sense to do so, due to licencing and ongoing management costs.  

You could enrol all the devices into their own tenant, then use Lighthouse and Rbac/ PIM to restrict each region to their devices based on tags / scopes for management. However, each user would end up using a guest account (b2b) when logging onto the device if you still want to get the best licensing from one main tenant for the users.  This would mean you would not be using part of the entitlement for Intune in your main tenant but paying for extra licenced in the device management tenant



However, using the B2b access you lose all the benefit of using SSO and it create whole from the point of security so I would not recommend it. Unless you fully understand these risks  

You could move to fully custom Rbac roles that way a user could have almost all of the GA roles but the Intune could be taken out.

The main part of the problem here is trust and training for the process that you are training to setup. If you do not feel the Global administrator can be trusted to understand the impact they may have. Then you have an internal process problem that needs to be addressed more than chaining the design of the management of the system.

If it is a case that the device will be managed by different third-party e.g different party in each region for the devices. Then that makes more sense to what you are trying to do. But if you give a user global admin you need to make sure they have adequate training and understanding of what they are doing if they are making changes. Otherwise you should be looking at what roles they need and limiting to just that   

AAD is designed to be global and scale. so you really do need to try and remove the limiting legacy boundary's that where always in place with AD onprem and why you would end up with multiple logon accounts.

I would suggest getting a workshop with Microsoft to fully iron out key principles of your design around permission and requirements from the top of the organisation down for how to manage the permission and limit impact of Intune policy's, as licensing is best under one larger pool then individuals pools