And after this configuration is done, Add ARP For Leases should be turned on for the DHCP server and the ARP mode of the interface (bridge or VLAN) should be changed to reply-only.
This is a reason why for my WiFi networks phones/tablets/laptops are put on SSIDs (only one needed per site) with WPA2-Enterprise/WPA3-Enterprise with their individual login accounts. The MAC address is no longer important, as restrictions are per account, including placing the device with the account in specific VLAN and any limitation is configured on that VLAN. This works for both IPv4 and IPv6 (Android is only capable of SLAAC, limitation per individual IPv6 address is useless), and is great when all your kids already know how to turn on MAC randomization on their devices.
Other devices only capable of PSK (which include most IoT devices) can also share another single SSID with PPSK and can be assigned to different VLANs too. But this restricts the security to WPA2. You’ll need multiple SSIDs if WPA3 is a requirement.