Sorry for not responding line by line today, just summarising. The poetry of the CRS3xx line is that the switch chip settings, which have to be configured using dedicated branches of the configuration tree on all other RB products that feature switch chips, are integrated into the “bridge” settings here. Which induces a fear that the forwarding might be done in software, but that’s not the case.
So look at @pcunite’s tutorial on VLANs, or use the official documentation on Wiki regarding bridge with vlan-filtering set to yes, and rest assured that as long as the frames need to be forwarded from one physical ethernet port to another, on CRS3xx the CPU won’t take part in that process.
As for linking SSIDs to VLAN IDs, that should be outside the CRS scope, decent APs do that internally. Mikrotik’s wireless access list adds tricks like assigning VLAN ID and personal WPA passphrase to an associated client based on its MAC address (or, if you are totally insane, based on signal strength), so you can have a single SSID on air but privileged users may get different treatment on that SSID. Of course the same (except matching on signal strength) can be achieved using EAP authentication against a RADIUS server on many other APs, but Mikrotik can do this standalone, with “WPA(2)-personal” and no external server (whereas, on the other side, the internal RADIUS server called User Manager does not support EAP to date).