The MAC address rule would work fine as it is hit earlier in the authentication process. The DHCP fingerprint derivation rules are hit last, after all other authentications, role assignments, and VLAN assignments. Changing the VLAN for a DHCP fingerprint derivation rule (either by setting the VLAN or setting a role with a VLAN assigned) is not supported.
Can you try setting the AppleTV derivation rule such that it is using the fingerprint, but assigns a role that does not have a VLAN associated with it. Despite this working for other devices as you say, I think this may be throwing the AppleTV off.
For example:
set role condition dhcp-option equals "370103060F77FC" set-value authenticated
I am curious if it places the AppleTV in authenticated role and assigns the default VLAN on the Virtual-AP.
You can also turn on debugging for DHCP to see what is happening with DHCP.
logging level debugging network subcat dhcp
show log network 100 | include 00:21:6a:28:ca:a8