I'm puzzled at why you think that the command can only be sent from the process model, not the client: I'm really fond of Rinat's description of a process manager as a human being with a view and a client
https://abdullin.com/post/ddd-evolving-business-processes-a-la-lokad/In that line of thinking, it's all just clients sending messages, it doesn't really matter if the "client" is a human driven app or a bit of automation.
So if you want the model to respond to commands from administrator Alice and process manager Bob, but not from Eve, that sounds to me like an authorization check at the command handler, to ensure that the authority currently has the appropriate permissions.
Regardless of where the command comes from, the aggregate still has responsibility for maintaining the invariant.
</endOfGuess>