I can try to explain it in a simplified fashion:
When provisioning entities (EC2 instances for example) you go through certain settings (for this example I am talking about a manual provisioning through the UI, not IaC, CLI etc) and one of the things you can do is give EC2 instance a tag. There are a number of reasons to do tagging, to name a few: To make it easier to find a particular instance, cost optimisation, see who owns it.
After this you write a policy that says what user/entity can do. This policy can take advantage of the tag, to say: "Only user, who has a tag XYZ can stop this EC2 instance that has tag XYZ" Let me know if that does not make sense and I can go a level simpler