What is the best practice to restrict the sign in / access for a specific client via the hosted UI (SSO)?

I want to deny sign in to client A, but not client B, based on DynamoDB items. I implemented it in the following way:

1. Check the permission and throw an error in the pre-authentication lambda.
2. Check the permission and throw an error in the pre-token-generation lambda so that no token is issued if the user is already authenticated. This is necessary because of single sign on. (The pre-authentication lambda is not triggered in this case.) This feels like a hacky solution and I did not find any references for this approach in the internet.

It works. Is it ok to do it like that? Is there a better approach? For instance, is it possible to define which clients will get an access token for a specific user? The sign in will be used also by desktop clients and we don't want to build in any authorization calls or logic to these clients. We just want to deny the access if the user has no permission.