You refer to [1] for this task.
According to [1], you can define a scope (can be shared or local) that belongs to a particular user role(s). For example, if you define a scope named test by adding the user roles Internal/subscriber and admin, and add this scope to your resource (which is /resource/{id}). So, only the users who have the role Internal/subscriber or admin with the scope test can invoke the resource.
I hope your problem will get solved by this.
[1] https://apim.docs.wso2.com/en/3.2.0/learn/api-security/oauth2/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/
