Here is the main documentation for self-enrollment, including enrollment keys:https://docs.moodle.org/37/en/Self_enrolment
Depending on how enrollment information and instructions are communicated to your users, an enrollment key may be sufficient to accomplice your goal of limiting the course to a single audience. The enrollment key is basically a password that a user needs in order to self-enroll into a course. You create the key, so it can be as simple or complex as you want.
If you limit the enrollment methods to just self-enrollment (and maybe manual enrollment for special situations) and require the key, then only those people with the key can enroll into the course. Users can always share the key with others who shouldn't have it, of course. But, if there is a defined enrollment period - say one week - then, at the end of that period, you can change the key and not publicize it. The enrolled participants remain in the course, and the original key is no longer useful if anyone shares it. And if there is a gap between the enrollment period and the course start date, you can use that time to examine the participants list and unenroll any non.govt enrollees who may have been given the key by a govt user.
I only mention enrollment period as a means to address the possibility of enrollment keys getting passed around to users who shouldn't have them. This likely is not an issue for most situations and you can probably handle the enrollment time period as you normally do.
Enrollment keys are great, too, if you use groups in the course. Each group can have its own enrollment key. When a users enrolls using the key for a particular group, he is enrolled into the course and sorted into the correct group.