No, you don't need a separate AP to run VLANs. You configure VLANs in LuCI or by SSHing into your router, and you can run them with or without an additional AP.
If you want to learn more, check out the video I linked to in a reply to someone else from a while back: GL.iNet UI shows no clients connected due to use of VLANs - #7 by Integritas .
P.S. The Beryl AX (GL-MT3000) supports both 2.4 and 5 GHz. Your reply implies only 2.4 GHz unless you've deliberately turned off 5 GHz for some reason.