Your Access Point is a router that assigns connecting clients an IP from it's own DHCP subnet. Just allow or reject traffic from the AP's DHCP subnet. There's a few ways you could stop the Pi AP's WiFi clients connecting to internal hosts:
a) In Raspberry Pi's Firewall (iptables & UFW being most common on a Pi) drop/reject traffic to all RFC 1918 subnets NOT the AP's. ie if the Pi AP is assigning addresses from the pool 192.168.01/28, and all your local stuff lives on 10.0.1.0/24 drop all traffic with a source of 192.168.01/28 to a destination of 10.0.1.0/24
b) Or, in the firewall of Router Pi AP itself is connected to, drop/reject all traffic with a source of 192.168.01/28 to a destination of 10.0.1.0/24.
Either way will have achieve the same result. Might be easier to create a rule on your router rather than setting up firewalling on the Pi itself
However, if you DO want to have rules running on the Pi itself (not a bad thing) you can download my Github repo which automates configuration of a Pi into a wireless AP in a few minutes with almost zero effort. It has a default set of UFW rules you could tailor to your own local situation:
https://raspberrypi.stackexchange.com/a/104175/97613