Purely in theory, you can try to resolve it through iptables.
Write a script that, when connecting / disconnecting a client (client-connect and client-disconnect parameters), will add a mark to packets from this ip (iptables -t mangle -A INPUT -s ${IP} -j MARK --set-mark 0x ???). Label depending on $common_name. Accordingly, iptables initially configure access authorization to resources through labels (iptables -t filter -A FORWARD -i tun0 -m mark --mark 0x??? -d ip_resource -j ACCEPT) and, in principle, you can remove the static binding of clients by ip. At a disconnect to delete rules.

Why are you giving network configs to clients if you can push them from the server using ccd? If the client changes the IP address on the interface, the packets will simply not go through it.

Interest Ask. It seems to me that in this formulation in any way.
I would solve the problem by adding a second (third ... n) OpenVPN instance with similar settings and the only difference is in the subnet. Well, the port will also have to be changed for each subsequent instance. Distribute / restrict access to services from the required subnets to clients, and not IP addresses, as is currently done. Those. when the address is changed by the client, it will be limited by the subnet rules and the address change will lose its meaning.

Your problem has no solution - there will always be a cunning user with a patched client who doesn't give a damn about your prohibitions.
Differentiation of access by addresses does not make sense - there are other means for this, TLS, that's all.