@Ben Woychowsky, Thanks for posting in Q&A.
Q1. What licenses are needed for the Intune policy to work?
A1. For Intune policy to work, it need Microsoft Intune Plan 1 and Microsoft Intune Plan 1 is included in the following mentioned in the link.
https://video2.skills-academy.com/en-us/mem/intune/fundamentals/licenses#microsoft-intune
Q2. What permissions are needed?
A2. For Intune policy to work, please be sure the user has been assigned Intune license mentioned in A1, once you have assigned the policy and user was assigned licenses, it can work properly.
Q3. Should the policy be targeted at a user rather than a device?
A3. The policy should be targeted at a device.
Q4. What is the best information to identify USB storage devices for the eventual whitelist?
A4. You can try to restrict USB devices and allow specific USB devices using Administrative Templates.
Or you can refer the link below.
https://www.thewindowsclub.com/how-to-prevent-installation-of-removable-devices-on-windows-10
Note: Non-Microsoft link, just for the reference.
Hope above information can be helpful. If there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.