Hi,
I guess you have a setup where you have a single role used for both birthright and manual request.
In that case I believe there is no out of the box solution to filter out all the identities having the role by birth right and doing the certification only for manually requested.
I created a similar topic a few month ago.
My solution was to start a certification on both birth right and manually requested and then have a workflow that is bulk approving the access that were granted by birth right using the “revocable” attribute.
There is an idea that you can vote for here.
Cheers