What you should be doing is returning the Aruba-User-Vlan attribute instead of using derivation rules. It does not matter what the Virtual AP VLAN is, the Aruba-User-Vlan attribute will override it and tag the user traffic and send it out the wired interface of the AP. The AP sytem profile has a VLAN parameter. Only bridged traffic whose vlan matches this parameter is untagged. All of the other traffic with VLANs that differ from that parameter, whether it be the Virtual AP or from the Aruba-User-Vlan attribute will be tagged out the physical interface of the AP.
I hope that helps.