Customer needs to block access to youtube generally but allow embedded videos from specific sites.

For this to meet all requirements, we have to setup three basic rules, as follows.

Assuming the referring website is "referer-domain.com"

Rule 1:
Setup referer combine objects for source:

1. Request header: Referer : regex : referer-domain.com
2. Request header: Referer : regex : s.ytimg.com

ALLOW as action.

Rule 2:
Setup destination combine objects for destination

1. Destination URL: Combine of youtube.com AND referer-domain.com
2. Destination URL: Combine of youtube.com AND crossdomain.xml
3. Destination URL: s.youtube.com
4. Destination URL: s.ytimg.com
5. Destination URL: Combine of youtube.com AND embed

ALLOW as action.

Rule 3:
Destination URL: youtube.com

DENY as action

Done!

===========

This workaround was tested and working when this article has written; clicking to view on youtube website is working on the video from referer-domain.com, but other videos are DENIED.

NOTE: Other referer website may or may not have different patterns of referring to embed youtube videos; this article applies to the general suggested youtube embedding practice.  

For an article about configuring a general allow of embedded youtube video without any condition on the referer website, see: TECH242355 - Is there a way to allow embedded youtube video when www.youtube.com has been denied in the policy?