From your description, it seems like a client device on the WIFI VLAN is attempting to get a DHCP lease from the AP-MGMT VLAN, which is quite unusual.
Typically, clients should only send DHCP requests on their associated VLAN (in this case, the WIFI VLAN). The AP should encapsulate these client frames into a CAPWAP tunnel, which would then be sent to the MX or the switch on the AP-MGMT VLAN. However, only AP-MGMT traffic should be sent on this VLAN, not client traffic.
If a client is somehow sending DHCP requests on the AP-MGMT VLAN, it could potentially be due to a misconfiguration. Here are a few things to check:
VLAN Settings: Ensure that the VLAN settings on both the AP and the switch are correct. The AP should be tagged on the AP-MGMT VLAN, and the switchport should be configured to allow the necessary VLANs.
DHCP Server: Ensure that the DHCP server on the AP-MGMT VLAN is not set to respond to client requests.
Switchport Configuration: Make sure the switchport where the AP is connected has the correct configuration. The native VLAN should be set to the AP-MGMT VLAN and the allowed VLANs should include the DATA and WIFI VLANs.
Wireless Client Configuration: Check the client's wireless and network settings to ensure it's not manually set to use the AP-MGMT VLAN.
Access Control Lists (ACLs): Check if there are any ACLs that might be allowing the client to access the AP-MGMT VLAN.
SSID Configuration: Ensure that the SSID is correctly associated with the WIFI VLAN.