Apologies, I mis-understood your question. So you want to route calls based on outgoing not incoming. In that case, if you know the extensions in both cases, then this can be achieved via Class of Restriction.
Basically, you create two new COR for both groups, let say COR20 for group 1 (Withheld) and COR21 for group 2 (CLI). and then follow these programmig steps:
1 - Ensure that COR 20 blocks COR 21 and vise versa.
2 - Create 2 trunk groups (Trunk grp 1 for withheld and Trunk grp 2 for CLI)
3 - Create routes (however many are needed) each route details the Trunk with the relevant COR (so Route 20 with TG1 and COR 20 and route 21 with TG2 and COR 21)
4 - Create a route list with the route just created (RL 20 1st route 20 , 2nd route 21)
5 - change your Digits dialled to point to this Route List
What will happen if set-up correctly is that when the extensions with COR 21 hit route list 20, then they will be barred from the 1st route and therefore cannot use that TG, but will still be able to dial out via the 2nd route. and this will be the same but in reverse for users with COR 30.
I hope this helps