Yes, it can be done. This example isn't 100% the same as yours but it should be similar.
I made a mAP-lite (1 ethernet port) into my home router by using the physical ethernet interface as the WAN link, and a VLAN interface on top of the physical interface as the internal facing network. Just as an exercise. I didn't contemplate all security implications. I turned off any discovery protocols on the external interface.
You need a VLAN aware switch attached.
Vlan 2 (on the switch) is the external interface. It's the ether1 interface with dhcp client on the MIkrotik:
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
Vlan 3 is the internal facing network, 192.168.x.x
/interface vlan
add interface=ether1 name=vlan3 vlan-id=3
/ip address
add address=192.168.x.1/24 interface=vlan3 network=192.168.x.0
(I use a separate DHCP server but the default one should work if you change it's interface to the bridge)
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=vlan3
I used a Cisco switch but it should be possible to use anything. A hAP-lite or mini would be a very cheap way to do it. The "native" interface would be vlan 2, the trunked (tagged) part is vlan 3. Cisco stuff:
int port f0/1 (facing internet)
switchport access vlan 2
int port f0/2 (facing router)
switchport trunk allowed vlan 2,3
switchport trunk native vlan 2
switchport mode trunk
int port f0/3 (connected to your internal network)
switchport access vlan 3
In my case I added a bridge for the WiFi interface and vlan 3 so I could use the WiFi internally as well. Not sure if that's relevant to you.
There are lots of combinations of how you could do this with VLANS, this is just one of them.
Would like to hear what the security implications of doing this are in general and for a MikroTik in particular from someone who has been around longer than I have.