Hi @llebrault
As you have to left both entitlements requestable, and enforce users to not have both at same time, what I can recommend is to create a workflow to remove entitlements where both are being provisioned.
Provisioning Completed trigger input has the attributeRequests array, which you should inspect with JSONPath or comparator operators, to question if both entitlements are present:
So, if both entitlements are present, you can raise an HTTP Request action to send a REVOKE_ACCESS request submit for them, followed perhaps by a notification.
I do not know your business model there, but I think that if Identity has some atrtibute that can let you deduct what of the two entitlements should not have, you can raise an HTTP Request to revoke only the incorrect entitlement.