I would change the WiFi firewall policy to deny all traffic by default.
Then create a group policy called something like "Approved", where you override the firewall rules to allow access. Then apply this to approved clients.
You could also whitelist clients instead