In FileMaker help, look up: Editing record access privileges. Then scroll down to the section titled: Entering a formula for limiting access on a record-by-record basis.
Since an invoice typically has at least two tables, you'll want to set up lock fields and lock expressions for each such table. Also, be aware that this lock expression won't keep a user from adding a new related record via the line items portal. You'll need to use either a script trigger and/or a validation rule that checks the same lock field value to keep them from doing that.