Unfortunately I don't think it's possible to restrict the capability as you describe. It provides access to the editadvanced page where any profile setting can be changed, not just the username. It also needs to be applied in the system context i.e. a user must be assigned a system role.
Roles and permissions
can Students be given ability to edit username?
This discussion has been locked so you can no longer reply to it.