It needs some network devices (e.g. ASA) between the endpoints and the servers to perform the enforcement.

I would recommend learning more about Trustsec, classification happens on the WLC but enforcement would happen at other points (data center)

https://www.youtube.com/watch?v=78-GV7Pz18I

You can certainly start with wireless only but the benefits would also be available on the wired side.

We're trying to lock down a small group of Windows 10 Surface Pro's down to only what it needs to communicate with on the network, inside and out.  Which means locking down to Meraki, our internal servers necessary for the software on the Surfaces, basic network services, and the real killer is making sure the Surface's can communicate with our domain controllers and vice versa.  We have 20 domain controllers that these devices could be possibly communicating with at any given point in time.  So 20 inbound rules, 20 outbound rules, not locking down to ports, that's 40 rules just to ensure proper domain configuration.  cfnisupport

We are in healthcare, so we have a ton of devices. Think IVPumps, mobile x-rays, tablets providers use, tablets patients touch, mobile glucose test machines which upload their devices. Heck, even our emergency lights and our wall clocks are all on WiFi. As you can imagine, we can quickly blow past 64x64.

My favorite part about the video Jason posted? Just after a minute in, it states there is nothing to 'bolt on'. But that's not true. We need to bolt on an ASA!

Yes at the enforcement point you have to bolt on a device capable of enforcement based off the SGT.

I recommend reaching out to trustsec community about anything further about trustsec, I understand a meeting is being setup. Please work with them further