With the new Rulesets you can enforce branches with specific patterns. It was a bit confusing to me at first, because I had to think in inverse to make this rule work.
If you are on GitHub Enterprise you can use the metadata restrictions feature of the new Rulesets:
But if you are on a different plan (free, team), here's a trick that will also do the job.
Create a rule that restricts the creation of any branch
**, then selectively excludes prefixes from this restriction:
Then turn on ✅ Restrict creations.
In case you need specific GitHub apps (such as Dependabot and Renovate or Azure Pipelines) to create arbitrary branch names, you can exclude them from the policy: