It is possible to run a single SSID with multiple VLANs -- the password used to connect will determine the VLAN to which the client is connected.
I don't know if this can be achieved with the Pi's wifi, but it's not worth even trying because of the poor performance of the on-board wireless functions of hte Pi.
If you want to do the above, your APs need to be running OpenWrt since the stock firmware almost certainly doesn't support this functionality.
As for wired connections -- you'll need managed switches (which it sounds like you have, at least for your core switch) in order to properly configure the VLANs. On wired connections, you will need to do this port based unless the devices are sufficiently advanced as to be able to use 802.1x authentication methods (i.e. computers, tablets, phones; iot devices won't have this functionality).