I have double checked everything onsite.
The correct syntax for VACL is "vlan-in", so that was not an issue.
In fact VACL works in most scenarios.
But it does not work properly when clients are connected to the same switch port (wireless clients connected to the same AP). In that case the switch sometimes blocks the traffic but less than 1%. And this occasional blocking was confusing.
So in general VACL doesn't help in this case. VLAN "isolate-list" neither.