Enable application constraint for User-assigned Managed Identity
Currently you can use user-assigned managed identities to authenticate Azure services to specific scopes in your tenant.
However you currently cannot restrict that user identity to work with only specific Azure services - it works with all managed identity enabled services or none. This can present a risk where there are elevated privileges assigned to a managed identity intended to only be used with a specific Azure service in a specific Azure scope. Any user with managed identity operator or higher who also had rights for another managed identity supported Azure service could authenticate that service or application in an unintended way.
Enabling a feature that would restrict the use of the managed identity to a specific Azure service and scope within the tenant would mitigate this risk.