In the eyes of AP 1, the client 2 is not a wifi device but just another address on the wire.
In the eyes of AP 2, the client 1 is not a wifi device but just another address on the wire.
Now add your primary router to the network by connecting an actual wire, and add a printer by wire as well.
How would AP 1 know its wifi connected client 1 is allowed to connect to both, router and printer on the wire, but not to client 2, which is just on the wire as well?
Client isolation goes like:
Traffic from wifi to wire is allowed because wifi clients need to access the router.
Traffic from wire to wifi is allowed because wifi clients need to receive the routers responses.
Traffic from wifi to wifi is denied
Traffic from client 1 to client 2 hits rule 1 on AP 1, so it gets allowed on AP 1. And it hits rule 2 on AP 2 so it gets allowed on AP 2. Response traffic from client 2 to requests from client 1 hit rule 1 on AP 2 so it gets allowed on AP 2, and it hts rule 2 on AP 1 so it gets allowed on AP 1. Which makes 4 rules on 2 APs, all allowing this very traffic.
You might get away with those rules on both APs:
Allow traffic to the routers MAC address
Allow traffic from the routers MAC address
Allow broadcast traffic that goes to the wire
Block everything else
But
I don't know if this really works and
since you need to type in the MAC address of your router in both of your APs, this won't be a checkbox thing.
this requires you to actually whitelist every wired MAC address in your guest network, otherwise wifi clients won't be able to access them.