Regarding CRS: since SFP-2 is member of bridge, you should configure VLANs entirely on bridge. Check this tutorial, it should give you plenty of good ideas. Since most of traffic is untagged, you want to make SFP-2 a hybrid port (untagged with default setting of pvid=1 plus tagged for VID 999).
Regarding hAP ac3: omit the line regarding VLAN ID=1 from /interface bridge vlan and move IP address to bridge interface. Ether1 should be a hybrid port, it has to match SFP-2 settings … and the rest of ports, members of “default VLAN” need it untagged as well. Which includes wlan1 and wlan2.
Bridge can be confusing because it has a few personalities. This tutorial explains the whole lot of it.