How to create a environment where each user's vm is isolated

Thanks to libvirt's PolicyKit support, I believe this can be done, based on how much features you require.

The rules can be created by you and accessed by PolicyKit ACLs as a database (file, server, etc.) to get the information about the owners. Also, if the PolicyKit rule has write access to the database, you can assign VMs to their respective owners when they get created, hence creating that database automatically. It might not be foolproof (e.g. when the VM definition fails the database will already have that record), so some more hooks might be necessary, based on how much functionality you are looking for. That's why there are projects building on top of libvirt (or just scripts deployed by admins) that can have more functionality.

If a simpler thing is enough for you, then you can say that users can call APIs only on VMs that start with their username. Just make sure corner cases are covered (e.g. user "bla" cannot access user's "blabla" machines).

As said, based on how much functionality you need, it can be either done easily, or with few lines of a script or you might need a full blown virtualisation system sitting on top of libvirt.

One more thing that nobody mentioned (and it might be what you want/are looking for). If you (as a non-root user) connect to qemu:///session (instead of system, see Connections to QEMU driver) you will connect to your own instance of libvirt daemon and you will only see your own machines (in other words, it will be isolated from other user's session daemons).

Well, just like advertised in the article you link, libvirt does support PolicyKit on per API basis (we call it ACL). So if you set up some polkit rules, you should be able to get what you want. For instance, domain X would be visible just to user Y. Unfortunately, I don't think it's possible to make those rules dynamic (I mean, if an user creates a domain it will be visible just to them).