I have a solution to my problem.
For reference, I am putting it here :
I recall that my issue is that postfix authorises login with root (or other users), even though authentication is delegated to dovecot, and the documentation about {first,last}_valid_{g,u}id seems to say that is should not be possible (and that authentication to dovecot with root is also forbidden in a hardcoded way).
I thank Mr. Ardley to have pointed out that dovecot delegates the authentication to PAM.
What actually happens (in my case at least) is that dovecot questions PAM about a specific authentication attempt, and receives PAM's answer. Then, *and only for itself*, it applies its own restrictions regarding root login and {first,last}_valid_{g,u}id. When it authenticates on behalf of postfix, it notifies postfix of success directly.
So the semantic of {first,last}_valid_{g,u}id should be understood for dovecot only, not for other processes that have delegated authentication to dovecot, which answers my first question.
Then, on how to effectively restrict postfix submission login based on uids, the simple solution not involving virtual users is to set these conditions in PAM directly.
The conditions that dovecot must match in order to succeed authentication with PAM are in the file /etc/pam.d/dovecot (at least on Debian) :
#%PAM-1.0
@include common-auth @include common-account @include common-session
A simple way to restrict login based on uids is to modify the file as such :
#%PAM-1.0
auth required pam_succeed_if.so uid > 500 quiet @include common-auth @include common-account @include common-session
Now, in order for dovecot (and *for every process it authenticates on behalf of* as well, which is what matters) to succeed authentication, the uid will have to be greater than 500. It is possible to specify other conditions as well, see https://linux.die.net/man/8/pam_succeed_if.
Best regards to everyone,
Aymeric