Well this is not strictly possible with RBAC from the docs :(

Note: You cannot restrict create or deletecollection requests by their resource name. For create, this limitation is because the name of the new object may not be known at authorization time. If you restrict list or watch by resourceName, clients must include a metadata.name field selector in their list or watch request that matches the specified resourceName in order to be authorized. For example, kubectl get configmaps --field-selector=metadata.name=my-configmap

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

I will try allowing create for any resource name, but restricting other verbs with resourceNames