Attribute-based Access Control (ABAC) is access control based on resources tags. See also What is ABAC for AWS?
Smaller scoped accounts and RBAC are preferable to multi-tenant accounts because ABAC has limitations including incomplete support across AWS services. However it can still be useful for implementing cross-cutting concerns across AWS accounts, eg: SSM Session Manager access to only tagged instances.
To limit actions to specific tags, used a via policy condition that references the aws:ResourceTag global condition key or a service-specific key, eg: ec2:ResourceTag. Some services support only the service-specific version of this key and not the global version. See the service authorization reference page for more details on which condition keys are accepted, eg: Actions, resources, and condition keys for Amazon EC2
For this to work you also need to limit which tag values can be used in a request via the aws:RequestTag global condition key, and/or which tag keys can be used via the aws:TagKeys condition key. See these EC2 examples.