You can do it using single bridge or using two bridges. I'm using single bridge, I feel it is simpler if I want to change VLAN membership of any given ethernet port.
I have a VLAN for normal access ports (in your case ports 1-22) even though it's internal to RB device. You never know when you'll be adding additional VLAN- capable switch. Or you might want to split your LAN to two or more VLANs so why not prepare for it in advance. Be careful, though: if you introduce VLAN to all access ports, you'll need to create vlan device on bridge and assign RBs IP address to that particular vlan device in order to have management access to RB device. And anything else your RB device might serve to your LAN (e.g. DHCP server) gets configured on that vlan device as well. In short, bridge "device" will not be directly seen anymore. You don't configure anything regarding VLANs on bridge device though.
If you'd introduce VLAN 999 to be used internally for access ports, you'd configure your ethernet ports as following:
/interface ethernet switch port
set N default-vlan-id=999 vlan-header=add-if-missing vlan-mode=secure
set 23 default-vlan-id=4 vlan-header=add-if-missing vlan-mode=secure
set 24 vlan-mode=secure
/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,...,ether22 switch=switch1 vlan-id=999
add ports=ether23,ether24 switch=switch1 vlan-id=4
N is for ports 1-22. On port 24 all ethernet frames are expected to be marked with VLAN headers, hence no default VID settings. Since that ethernet port is only member of VLAN 4 group, any packets with different VLAN ID will be rejected.
If your RB has several switch chips, you'll need to split the "add ports=" command to several commands, one per switch chip ... and remember to add switch-cpu "port" to all of them so the bridge will see VLAN-tagged packets from all of them.
If switch-cpu is not on the list of ports for a given VLAN ID, that VLAN is not available upwards (e.g. bridge connecting switched ports with wlan or whatever else). Meaning that for VLAN 4 your RB will be completely transparent, no interaction with routerOS will be possible using that VLAN. Actually if you'd create separate bridge for this VLAN, it would never get used.
A side note: even though ROS allows it, I don't think you can use VLAN ID 1 for any settings, it didn't work for me. I suspect that VLAN ID 1 is actually used implicitly for untagged ethernet frames and using it explicitly screwes things up.