Been a long time since I have played with an Edge Router but I am fairly sure they do have firewall functions. As Tom said, not much to do in the cloudkey short of creating the ssid’s that are tagged on the vlans you setup elsewhere.
What ever you do you are going to need a way to identify your clients to the firewall so that it knows what ACL’s to apply.
My go to would be to setup a vlan per access group, drop a subnet on each vlan and filter based on the subnet. You can then untag wired devices on the correct vlan and create a separate ssid for each vlan. Keep in mind that unifi recommend 4 or less ssid’s per AP so don’t go crazy.
You could do it by fixing IP address’ on client devices (via your DHCP server) as well but that’s easier to work around if you are concerned about security (which, you sould be)
RADIUS would also be an option but by the sounds of what you are saying might be a bit over the top for your setup / available resourced.