This use case require two roles to be assigned to the user that you want to restrict
1- For Apigee Environment Admin,
resource.name.startsWith("organizations/PROJECT-NAME/apis/PROXY-NAME") ||
resource.type == "cloudresourcemanager.googleapis.com/Project"
2- For the Custom role,
Add the following Permissions,
apigee.deployments.get
apigee.deployments.list
apigee.entitlements.get
apigee.organizations.get
apigee.projectorganizations.get
apigee.setupcontexts.get
apigee.environments.get
apigee.environments.list
Note: if you require more access to the user , for example allow the user to view trace sessions within a proxy , you can add the below permissions to the custom role.
apigee.tracesessions.get
apigee.tracesessions.list
[1] https://cloud.google.com/iam/docs/conditions-overview
[2] https://cloud.google.com/iam/docs/creating-custom-roles#creating