Bug or Feature: IAM dynamic policy variable (resource) appears to be resolving to all principals

[bc0la]

Given the following policy snippet applied to Role A:

"Action": [
                "iam:changepassword"
            ],
            "Condition": {},
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]

This permission is showing up as an inbound action/Role A is showing up as an inbound principal on all users across multiple subscriptions

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html