We consider that
1. wlan1 we have a radio interface on which this selected client will be
hung 2. l2tp-out - vpn interface.
3. pppoe - interface towards the Internet.
Total
1. To begin with, we prohibit traffic in the direction wlan1-> pppoe. Traffic will now definitely not run outside by vpn.

ip firewall filter add action=drop chain=forward in-interface=wlan1 out-interface=pppoe

/ip firewall mangle
add action=route chain=prerouting in-interface=wlan1 passthrough=yes route-dst=адрес на другой стороне туннеля

Separate subnet for virtual wlan, policy base routing by src-addr

Thanks for answers. I'll try to figure it out at my leisure.
As a result, I solved the issue bypassing, sacrificing universality.
Since the second router was also Mikrotik, both had a functioning Mikrotik cloud and I had remote access to the second router:
-I set up an EoIP tunnel between the routers -created a
virtual wlan
-deleted the virtual wlan interface and EoIP Tunnel from the local Bridge
-created a Bridge VPN , where added wlan and EoIP tunnel
As a result, when connecting to a virtual wlan, I get into my VPN channel to the second router, isolated from the rest of the traffic. I'm not one hundred percent sure that my traffic is not visible to the provider, which brazenly sniffs torrent tracker packets, but so far the Internet speeds and ip determination sites indicate that I'm sitting in the geolocation of the VPN router.
The solution is not elegant, because EoIP is a proprietary mikrotik protocol, you need access to the settings of the second router, and it is not compatible with any other VPN services.