Limit particular AD users on APM?

There's user limiting via AD, and there's also limiting via a local user database and checking that after AD authentication succeeds. I use that for VPN to assign network access profiles based on the presence of the user in the local db as well as the group name they're assigned to (ex. Network team folks have a slightly different access policy than Server team folks, and both teams have their own SNAT pool address, whereas everyone else gets a "default" or auto one. Works fine for a reasonably small number of users.

With what you're doing you could add a local user db and populate it with the people who should have access. Check that db for the user (use the same IDs they use for AD auth) after AD auth succeeds. If they're there, fine, proceed. If not, deny access.

All this if/then stuff you add/modify in the Access Policy using the Visual Policy Editor.