I have a work laptop which I have to use but unfortunately, cannot trust. :o
I have separated it onto a separate tagged vLAN so that it can see the WAN but can't see anything else on my home network. I'd also like to be able to connect it to my regular LAN so that I can use my printer but deny it internet access whilst it is there. Can I add a rule so that the MAC address is prevented from accessing the internet on LAN1 but allowed on LAN2? The laptop has a wireless connection via an AP902.

I have a 2860ac and an AP902 with the latest firmware.

You can indeed, just set up a firewall rule to block all outbound traffic for that source IP.

First you'll need to fix the IP of the host you want to control and the only reliable way to do this is to use Bind IP to MAC, and set Strict Bind, so that you know absolutely for certain which IP is the machine in question. You can then map it's MAC to a known IP address. Then what I like to do is go into Objects Setting and create an IP object or group for the machine's IP that you can reference in a firewall rule. A group let's you do more than one PC but if you only need to block one you can just create a single IP object.

In a filter rule you set :
Direction : LAN->WAN
SourceIP : "BlockedDevices" object or group, whatever you create. Obviously you CAN just enter a known IP here but I like to use the objects feature to manage this; it's up to you.
Destination, Service : Any
Filter : Block Immediately

Thanks for the pointers. I'll give that solution a try later.

I note there's a "gotcha" on strict bind.

"Important Note - Strict Bind
Strict Bind will block the connection of the IP/MAC which is not listed in the IP Bind List.
Make sure that there is at least one valid MAC address entry before enabling this additional option. Otherwise no LAN clients will have network access to make changes to its configuration.
By default this option is unchecked and is not required for the fix IP address allocation."

What I need to test now is that the binding operates on LAN1 but not on LAN2 because obviously, I don't want DHCP to force an address in the wrong subnet.

Do you really need to use strict bind? All my "non-strict" bindings over 3 VLANS seem to work fine.

Maybe it's necessary, if the 'Network tenant' is untrusted. Otherwise, they could switch to a static IP address and bypass the Firewall Rules.