Microsoft SQL database project in Visual Studio 2019/2022 - How to deploy varying security principals/permissions dependent on target environment

Question

I have database projects targeting Microsoft Azure SQL instances. The projects were created through and are managed by Visual Studio 2019 and Visual Studio 2022. The projects are deployed to multiple environments; engineering, user acceptance testing and production. Depending on the target the services and therefore the principals will vary, sometimes the permissions do as well (although we try to stick to PoLP).

Problem:

It is possible to create security definitions in the project but then all of these are deployed to all database targets. This is unworkable.

Possible Solution:

Reference the environment in the post-deployment-script by getting the server name and use this to either execute or not execute the statements that produce the security objects. This is horrible. If these security principals needed to be referenced to build the project then the build would fail.

Other thoughts:

Perhaps all the object definitions can be supplied as you would expect them to be. When running a publish the objects that are associated environment could have build enabled and the objects that are not could have build disabled. This could perhaps be achieved with a pre-build script. I don't know if this is possible.