What limits VAPs/multi-ssid on hardware?

Devices can be authenticated with individual PSKs (no WPA Enterprise, no RADIUS needed).

https://www.reddit.com/r/openwrt/comments/ynhyrp/comment/ivdl32u/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

It is possible to have multiple passwords for a single SSID and assign clients to VLANs based on which password they connect with using the wpa_psk_file option. This is supported by openwrt but not LuCI so you'd have to use the CLI to configure it. From the client's point of view this would be the same as any other WPA2-Personal connection and thus doesn't have any compatibility issues like WPA2-Enterprise.

Example hostapd.wpa_psk

Note that I have not tried this solution myself.

UPDATE: @takimata has tried it: