rrsync is designed to be used as a forced command for a particular key, so it should be exactly what you want.
A forced command is set up using the command option for a key in an authorized keys file and is then always run whenever this key is used for authentication, no matter what command the client requested. But it has access to the requested command so it can for example implement a validated, restricted version of it and that's what rrsync does.
You use it like this:
command="/path/to/rrsync -wo /allowed/directory/",restrict,from="a.b.c.d" ecdsa-sha2-nistp521 AAAAE...
Access for this key is limited to rsync to the /allowed/directory/ only. The -wo (write only) option means that rsync will be only allowed to send to the remote machine, -ro would only allow reading from the remote system, giving no option would allow transfer in both directions.
On the local side when you give arguments to rsync you must give the remote path relative to the allowed directory, so on A you would do eg.rsync -options /local/path root@B: and not rsync -options /local/path root@B:/allowed/directory/.
