So according https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
#SAE password
# This parameter can be used to set passwords for SAE. By default, the
# wpa_passphrase value is used if this separate parameter is not used, but
# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
# SAE passwords do not have such constraints. If the BSS enabled both SAE and
# WPA-PSK and both values are set, SAE uses the sae_password values and WPA-PSK
# uses the wpa_passphrase value.
#
# Each sae_password entry is added to a list of available passwords. This
# corresponds to the dot11RSNAConfigPasswordValueEntry. sae_password value
# starts with the password (dot11RSNAConfigPasswordCredential). That value can
# be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and
# by optional password identifier (dot11RSNAConfigPasswordIdentifier). In
# addition, an optional VLAN ID specification can be used to bind the station
# to the specified VLAN whenever the specific SAE password entry is used.
#
# If the peer MAC address is not included or is set to the wildcard address
# (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a
# specific peer MAC address is included, only a station with that MAC address
# is allowed to use the entry.
#
# If the password identifier (with non-zero length) is included, the entry is
# limited to be used only with that specified identifier.
# The last matching (based on peer MAC address and identifier) entry is used to
# select which password to use. Setting sae_password to an empty string has a
# special meaning of removing all previously added entries.
#
# sae_password uses the following encoding:
#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>]
#[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]
# Examples:
#sae_password=secret
#sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
#sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier
#sae_password=example secret|vlanid=3|id=pw identifier
I really would like to request this as a feature for uci entry and or via luci 
As for now there is only option wpa_psk_file 'file' but that only seemed to work for me with wpa2 on OpenWrt 22.05.0-RC1 for SAE I didn't found a work around for vlans like this, maybe there still is but I had no success.
I could see a few usefull uses for this for example if you want to personalise a network over the same ssid, or if you want to have a night clock on it so that the internet connectivity get shutdown, in my case I would use it for a more personalised low latency gaming network.
What I like from this approach is that it doesn't seem you need wpa enterprise, also not for wpa_psk_file and that comes in handy for devices who do not support wpa enterprise protocol, though to be fair for sae protocol its also not widely supported on older devices, but I still think its handy for future proofing.