As said in the other answer: yes this is a reasonable idea, RSA allows secure signature of the low-entropy public data, that can be verified openly as matching said data, but can't be generated without the private key. Examples of valid signatures and the public key will not reveal the private key, or ways to produce other signatures. Several standardized signatures schemes do this routinely (but of course there is nothing to prevent copy of the public data and it's signature).
Now the question adds:
Is there a way to do this securely with only 256 bits of output data?
Not with RSA. A 256-bit RSA signature would be insecure, because these are (within few bits) as wide as the public modulus, and 256-bit is way too small (384-bit was already too small in the 1990's, and there's been considerable progress since then, see this).
256-bit is near the verge, and rather on the wrong side, of what well-vetted signature schemes can give with high security. I recently asked about this, making an inventory of what I know among standardized schemes, with nothing below 384-bit at the 128-bit security level commonly recommended for high-security in the next decades.
On the other hand, if one is happy with like 90-bit security (which would still put the projected attack cost using today's means into the billions euro), and don't need something standardized, it's possible to use short Schnorr signature (which nominally would be 270-bit) and a few tricks to trade a longer signature generation and/or verification time against a few less bits of signature. I can detail that if needed.
Another option would be BLS signature e.g. on curve BN254 or BN256, which fits the size goal and would be at least comparably as secure according to these comments, but that's out of my comfort zone.