I looked into this further, and I don’t think you can accomplish this with a single workflow. I think you’ll need two. The first workflow will look like this.
It retains most of the logic you already have, with HTTP Request 2 fetching the list of sources by tag name. The only difference is that the loop will need to loop over each source ID and then invoke another workflow. The loop input will be this JSONpath: $.hTTPRequest2.body[*].objectRef.id. And instead of using HTTP Request 1 to invoke the access request API, you’ll use it to invoke the second workflow, as described below.
The second workflow will be this workflow that I use in my show and tell: Workflow to remove access by identity based on special conditions. The only difference is that instead of using an Identity Attribute Changed trigger, you’ll use the external trigger. Your first workflow will call the endpoint generated by the second workflow’s external trigger. You will just need to pass the identity ID and the source ID from each iteration of the loop in workflow 1 to workflow 2. That will allow workflow 2 to know which identity to revoke access from, and which source ID to filter on.