Is there a recommended Resource policy condition for determining that a valid JWT was provided? I need to make a policy that doesn't have any Role conditions and only looks at the JWT since the Principals won't have any Roles defined

If you provide a key set, Cerbos will verify the JWT automatically: https://docs.cerbos.dev/cerbos/latest/configuration/auxdata.html There's no function to do that explicitly though.