Thanks Feklar for clarifying this so promptly. This points me in the correct direction. I may have got confused by articles and posts explaining that the hotspot itself acts as a proxy even for authenticated users (mum.mikrotik.com/presentations/US10/FelixWindt.pdf and http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot), so I thought I should be able to setup proxy filtering rules within this hotspot proxy, including for authenticated users.
So in this other post of yours (http://forum.mikrotik.com/t/using-mikrotik-web-proxy-in-hotspot-setup/42713/1), you mention that the redirection to the proxy can be achieved either with a NAT rule (or a rule in the pre-hotspot table), or by ticking on the “transparent proxy” box in the user profile. My question is: do you know exactly what firewall rule is added when this “transparent proxy” box is ticked on? What is getting at me is that we can only tick the box, but there is nowhere to specify which port the proxy in question is listening to?