...in principle yes, this should be possible.
It will depend on the capability of your ASUS to enable VLAN tagging for each WiFi Interface or even SSID (if you plan to have more than one per band).
Edit: ...and you do not want to run your ASUS in router mode but rather in AP-mode, if the firmware is capable of doing so. If the stock firmware is not capable of doing that, you'll either have to move away from the ASUS or try a different firmware source (merlin or openwrt, for example)
Edit2: Wifi-Client isolation also needs to be enabled / is a feature of the ASUS and its firmware ... you will need to test, if this needs additional tweaks in the Hex-S but I think not.
Also assuming your Switch is capable of enabling VLANs, you most likely - for simplicity - would want to enable each port as a trunk port unless you want to force non-VLAN-capable clients into one, by using single ports as access ports, like for your TV.
See this for a start:
viewtopic.php?t=143620 ... you should start with the "Switch with a separate router (RoaS)" scenario.
You also will need to run each VLAN through the Hex-S and its firewall, for performing the VLAN filtering and isolation in there.
In terms of performance expectations, I don't have the real experience with the Hex-S, but for that, what you have scetched in your paper, it will be fine, I think.