access policy to check for AD group membership based on URI

You can attach layer 7 acl so after the access policy evaluation is done then the users that do not have ad group will be blocked for some url.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_resources.html

https://my.f5.com/manage/s/article/K08200035

You can also see the link below as if you do not decrypt the traffic FQDN domains or SSL SNI  with irule/local traffic policy can be used or Per request policy that will check each request:

https://community.f5.com/t5/technical-forum/l7-https-acl-with-apm-ssl-vpn-not-working/td-p/207920

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-6-0/4.html

Edit:

You can also use the per-request policy to trigger an irule that will get the session group membership and if the users do not have the group but are trying to reach the destination fqdn/sni or url if you are decrypting the traffic and this not a VPN APM implementation (for VPN /Portal you will need layered VS https://my.f5.com/manage/s/article/K03113285 ) and to block users if they do not have the group.

https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/apm/apm_policy_agent_irule-event.html