Updating my original post as it is now solved. The problem I was having with the other posts not working was a bug in sync persistence shown here.
The straight-forward method is this:
Conditions: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "bookmark") and !user.IsAnonymous()
Logic: Non-anonymous users can create app objects on apps which belong to streams where the user has read privileges already and the object that they are creating are bookmarks.
Additionally, the publish rights to the stream is not required.