The two Eth ports on your ZD1200 are one logical interface to the controller, so you can't "define" one on VLAN A with IP-subnet1 address, and one on VLAN B with IP-subnet2 address. If you do not want the ZD/APs to be easily accessable to either SSID clients, define a "Management" VLAN 0 for the ZD/APs, and use unique VLANs for both of your SSIDs. You simply need to trunk the two VLANs in addition to your management VLAN to the ZD/APs. Client dhcp requests will go to the server on the specific VLAN. Does that make sense? You use ACLs (on your switch/router) to limit access of the VLAN subnets to whatever targets you want to permit/deny.
Untagged(access) vlan 10 for management tag vlan 2,3,5 for Wireless networks and that's all? Will the ZD see the tagged vlans and I won't have to do anything other than assign the access vlan to each SSID?