Inter-AP isolation [expert question]

Anyone have any experience in isolating multiple APs in the same broadcast domain?

Eg say you have two APs on an switch without port isolation capability, which also connects to the router

I guess one could use bridge filtering in the forward chain with a MAC address whitelist, but this is difficult from a management perspective. Thoughts/experience/comments?

that’ll get tricky, I agree.
The smartest option would be using CAPsMAN with manager forwarding and bridge horizon for the connected CAPs.
When this is impossible, I’m going for QinQ quite often and assign bridge horizons for the specific vlans.

-Chris