First of all, I am not a network specialist.
The main problem is, that you base your “security policy” on client software. The snap is inside the home directory of the user and the user can replace it with a version without your “restrictions”.
Instead, you should control the outgoing traffic from the network device, not from one specific software. Any restrictions on a browser does not affect
curl. You don’t have solved the problem, you have found only one workaround for one specific software.
If the domain example.com is under your control, than you should fix it on the server side (authentication and authorisation).
If the domain is not under your control, than you need a firewall which is working on higher OSI layers. I guess, a web application firewall (WAF) can do this.
So far, I don’t really understand, why you want to allow example.org/foo, but not example.org/bar. Maybe you could explain, what exactly you try to do and not how?