Thanks Colin and Cam. Those are both great suggestions. I'm not really familiar with what you can do with a role in Clearpass Onboard, so I went ahead and used Colin's suggestion.
What I did was made a role/role mapping that if memberOf NOT Contains BYOD AND your authentication source is AD, then your role is NOT BYOD Onboarder. In Enforcement, if your role is NOT BYOD Onboader, then your returned Aruba role is No-Onboarding. That Aruba role directs the user to a ClearPass page that says you're not allowed to onboard.
Now, my problem is, CPPM seems to only pick up the AD groups in the first authentication and then always sticks with that. So, if I have a user that's not in the BYOD group, he gets put in the NOT BYOD Onboarder role, which is correct. But, if I add the user to that group, CPPM doesn't get that group membership. The opposite happens as well. If a user is in BYOD, CPPM picks that up the first time and allows the user to onboard. But, if I remove them from that group, CPPM seems to still think they're in that group.