@Heimdallr, Thanks for posting in Q&A.
For the Hyper-v VM, based on my researching, I didn't find the bluetooth can share with the VM. For USB devices, it can only share in RDP/Enhanced session. To double confirm on this, you can contact Hyper-V support.
To test on the policy, I think it is better to find one physical machine. For your questions, here are my answers for your reference:
Q1: Create a policy that will block all USB usage, but this also raised another question - How to give USB access to certain people? for example service desk, and only to them, while block it for rest.
A1: You can try the "Excluded groups" and select the service desk grou to exclude fromt he policy.
https://video2.skills-academy.com/en-us/mem/intune/configuration/device-profile-assign
Q2: Make sure that bluetooth will allow ONLY day to day devices like headset, mouse - No type of storage or anything that could mess with the system.
A2: You can check if "Bluetooth allowed services" can meet your request.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.