Hey,
I could be wrong about this, but I don't think the change of VLAN's will work without a client first diconnecting then reconnecting.
For our Onboard we are using two different SSID's and we are able to move users between VLAN's (from provisioning VLAN to BYOD VLAN) without an issue. But in this situation the client gets disconnected then is reconnected.
Is there any specific reason you don't want to leave your Guests in the same VLAN?
You can leave them in the same VLAN but just have two different roles, an unauthorized role and an authorized role.