What you want to do is hook into the authenticate
hook, check if the user has the pending
role, and if so, throw an error.
//* Add filter to the authenticate hook
add_filter( 'authenticate', 'wpse_263762_authenticate', 20, 3 );
function wpse_263762_authenticate( $user, $username, $password ) {
//* Check if the user has the pending role
if( ! is_wp_error( $user ) && in_array( 'pending', $user->roles ) ) {
//* Throw an error
$error = new WP_Error();
$errorMessage = __( 'Your error message goes here.' );
$error->add( 401, $errorMessage );
return $error;
}
//* Or return the user
return $user;
}