The approach you suggest sounds like a good way to achieve this. You can check for approved values via that env var and some conditional logic in circle.yml.
I don’t have a guranteed solution, but I may have some possible workarounds. Have you tried messing with the owner in the deployment section? Another thing to look at is the $CIRCLE_PREVIOUS_BUILD_NUM environment variable. The first build shouldn’t have this filled in while all the rebuilds should. Also checking the $CIRCLE_USERNAME is a permitted user.