It’s nothing new or novel but I don’t recall this sort of minutiae off the top of my head.
Recently I needed to limit SSH access for a service account (jenkins) to only be able to tunnel to a specific port on a specific host. I was able to do this using
.ssh/authorized_keys file wizardry. Behold:
All the details are in the ridiculously complete sshd man page.