With reference to your post, enabling Full Client Isolation is the feature that needs to be enabled to have all the clients isolated from each other. When Full Client Isolation is enabled , the Restricted Subnet ACL gets applied to the WLAN by default (this is how it is designed), this is reason for the L3 ACL being disabled since the Restricted Subnet list is also a L3 ACL (cannot have multiple L3 ACL's associated with a single WLAN).
Once full client isolation is enabled on a WLAN the clients are not allowed to access any of the internal devices/servers. If you would like to allow access to specific devices or servers on your internal network, you need to add the URL or IP address with a /32 subnet, this means that all host bits need to match to have access, hence allowing access only to authorized devices on the internal side of the network.
Please let me know if you need more information regarding this. All the best.