I'm trying to enable port security for some non-Cisco WAPs which have their management IP in a native vlan and tagged traffic for 2 SSIDs on different client vlans.  I want to restrict access in the native vlan to just the WAP's mac address and freely allow clients on the other two vlans.

Thinking was I would leave the maximum for the native vlan as 1 and set a high maximum for the other two vlans and leave the learning dynamic (if that worked I was going to look at ageing to keep the dynamic count from growing too high on the client vlans, but I didn't get that far).

vlan 100 is my management vlan, 101 and 102 are the two client ones, IOS-XE 16.9.5 on C3850

port config example:

interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1 vlan 100
switchport port-security maximum 1024 vlan 101,102
switchport port-security violation restrict
switchport port-security
end

Originally I didn't have the  "switchport port-security maximum 1 vlan 100" line, thinking it'd default to 1, but as soon as I enabled port security, I got a violation on vlan 100, so added it.  That kept the management IP online and its mac appeared with type "SecureDynamic" in show port-security address, but then I started getting violations for any clients in vlan 101 & 102

Am I misunderstanding the per-vlan maximums, and/or is there a better way to do this?