G Suite now supports using service accounts without the need for domain wide delegation:
https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html
However provider configuration still requires passing a parameter "impersonated_user_email"

Set up steps:
https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd

Note: You must use the beta version of the Cloud Identity Groups API to authorize service accounts without using domain-wide delegation.

Hmm, we don't have a stable vs beta provider. Should we wait with implementing this until it's in GA?

That's a good point. If beta features are not added too often, it doesn't make sense to introduce a beta provider for just one feature.
Another option is providing an environment variable to change the endpoint. I did a few spot checks and couldn't see any differences between v1 and v1beta1

I do like the idea of an environment variable or just provider parameter to enable beta. We can have the provider error out when folks try to use beta parameters but do not have the beta parameter set.

It's working fine now with a GA version of the API. I tested with this method:
https://cloud.google.com/identity/docs/reference/rest/v1/groups/list
It looks like this is the API which should be used for service account with no domain delegation: https://cloudidentity.googleapis.com/v1

I've just noticed an existing resource which uses cloud identity API: https://www.terraform.io/docs/providers/google/r/cloud_identity_group.html
Given that this feature is only for the groups API one can use cloud identity resource instead....