I'm not keen on this approach when using NPS on Windows because you have to create an AD account where the username and password is the MAC address.
This means if someone knows the MAC address of any device that can connect (which can be worked out easily by just sniffing the wireless traffic of connected devices), they can attempt to use that for authentication against anything using AD.
It is really hard in AD to block accounts from being able to authenticate for anything except NPS. I'll go further and say it is probably impossible. You might think you have, but probably have missed something.
A stronger option would be to change to certificate based authentication for devices. Create an AD group policy to automatically deploy certificates to devices in AD, and then configure your WiFi environment to authenticate using those certificates.
A weaker option that doesn't increase the risk to everything attached to your AD would be to stick with your current username/password authentication, but change the Meraki firewall policy to a default deny. Then create a group policy called something like "Approved-for-WiFi" that overrides the firewall policy and gives user access, and then apply that to every device in the Meraki dashboard that you want to have access.