I'm thinking Roles. Clone the Student system role as Student Mobile, then you can change the value of the permission moodle/webservice:createmobiletoken
So for the Student Mobile role this would be ALLOW, and for the normal student it would stay as PREVENT.
Then on a course by course basis you can choose which students do and don't have access to that course via the app.
Not automatically that I can tell from within moodle - in theory, you could write a script that ran nightly or similar to inspect the database for the conditions to put them into the Student Mobile role for a course.
Or maybe someone who knows the really technical stuff better can help with that.
HTH though.