polkit policy, restrict the parameters of an application when running with pkexec

I should be able to restrict the parameters when running an application without asking for password (debian 12, systemd 256, polkit 122-3).
For example:

app foo
app foo ...

should work, but

app bar
app bar ...

should be blocked.

This would be my approach, but it did not work:

polkit.addRule(function(action, subject) {
    var program = action.lookup("program");
    var args = action.lookup("command_line");

    if (action.id == "org.freedesktop.policykit.exec" &&
        subject.isInGroup("some ldap group") &&
        program == "/usr/bin/app" &&
        args[1] == "foo") {
                return polkit.Result.YES;
        }
});

Does anyone have an idea?