Which device are you trying to configure this on? ACL's work from top down (so the first rule that is matched will be used...) with an explicit deny at the end.
In your case, I assume 172.16.200.0/255.255.254.0 is the source VLAN of the SSID. Your first rule would be to deny ANY (source VLAN) traffic to 10/8, then the remaining rules (I've used the below as an example for allowing, DNS, HTTP & HTTPS) would permit your Internet access traffic.