But, what if you really want to be really precise on the command? Using the above example, not only running rsync but also specifying the path and the arguments? You could cheat and find what the command you are sending is supposed to look like by replacing (temporarily) your wrapper script with this

 #!/bin/sh

 DEBUG="logger" # Linux
 #DEBUG="syslog -s -l note" # OSX

 if [ -n "$SSH_ORIGINAL_COMMAND" ]; then
         $DEBUG "Passed SSH command $SSH_ORIGINAL_COMMAND"
 elif [ -n "$SSH2_ORIGINAL_COMMAND" ]; then
         $DEBUG "Passed SSH2 command     $SSH2_ORIGINAL_COMMAND"
 else
         $DEBUG Not passed a command.
 fi

Then you run the ssh command and see what it looks like in the log file. Copy that to your original wrapper script, and you are good to go. So

 ssh -t -i /home/raub/.ssh/le_key raub@virtualpork echo "Hey"

Results in

 Dec 26 13:34:05 virtualpork syslog[64541]: Passed SSH command echo Hey

While

 rsync -avz -e 'ssh -i /home/raub/.ssh/le_key' raub@virtualpork:Public /tmp/backup/

results in

 Dec 26 13:28:17 virtualpork syslog[64541]: Passed SSH command rsync --server  --sender -vlogDtprze.iLs . Public

The latter meaning our little wrapper script would then look like

 #!/bin/sh
 case $SSH_ORIGINAL_COMMAND in
     "rsync --server --sender -vlogDtprze.iLs . Public")
         $SSH_ORIGINAL_COMMAND
         ;;
     *)
         echo "Permission denied."
         exit 1
         ;;
 esac

///

find command:
grep "Passed SSH command" /var/log/syslog