If you've found a reliable way to block youtube alone without blocking the rest of google services, please share the link or your configuration, you'll make many people here happy. Also if you can block facebook without blocking login to other services using the facebook account, the same people will be happy too.
To your question, the same way you can place accept rules matching on IP addresses of privileged devices before the blocking rules, to except the traffic of the privileged devices from being handled by the blocking rules, you can also add a src-address-list to the blocking rules so that these rules would only apply on devices whose addresses are placed on that address list.
Firewall rules cannot be directly linked to MAC addresses without spending extra CPU so I would recommend to use static dhcp leases. However, to prevent users from escaping your rules by manually assigning IP addresses, you may need to set arp=reply-only on the interface and let the DHCP server add arp records for the addresses it leases out. The only reliable measure to prevent users from escaping your rules by changing their MAC addresses is to use 802.1x authentication, which requires (to date) an external RADIUS server. A poor man's alternative to this is to force use of PPPoE on LAN. But either of those authentication methods must be used for all users, not just those you want to restrict.
If the above is too theoretical for you, be aware that so was your question - so if you want a more detailed suggestion, post your export.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.