Customer needs to block access to youtube generally but allow embedded videos from specific sites.

To meet all requirements, we have to setup three basic rules:

Rule 1:
Setup referer combine objects for source:

1. Request header: Referer : regex : referer-domain.com
2. Request header: Referer : regex : s.ytimg.com

ALLOW as action.

Rule 2:
Setup destination combine objects for destination

1. Destination URL: Combine of youtube.com AND referer-domain.com
2. Destination URL: Combine of youtube.com AND crossdomain.xml
3. Destination URL: s.youtube.com
4. Destination URL: s.ytimg.com
5. Destination URL: Combine of youtube.com AND embed

ALLOW as action.

Rule 3:
Destination URL: youtube.com

DENY as action

===========

This workaround was tested and working when this article has written; clicking to view on youtube website is working on the video from referer-domain.com, but other videos are DENIED.

NOTE: Other referer website may or may not have different patterns of referring to embed youtube videos; this article applies to the general suggested youtube embedding practice.  

For an article about configuring a general allow of embedded youtube video without any condition on the referer website, see: Is there a way to allow embedded youtube video when www.youtube.com has been denied in the policy?