This looks very analogous to enforcing a clear separation of authorization from authentication. So much so that I would assume that leveraging a library meant for authorization like oso[0] might be one of the most straightforward ways of implementing an entitlement system as described in the article.

[0]: https://www.osohq.com