Yes, if they are doing 802.1x to authenticate the domain user, you can check AD group membership and also in the same policy require the endpoint MAC address to be defined or part of a group.
Example AuthZ policy: If AD Group = Domain Users AND Endpoint Identity Group = Whitelist (or whatever you want to call it) then permit access.