ACL are not supported on SVI.
You have 3 alternatives:
- VLAN ACL, as you selected
- Port ACL (might depend on the manageability due to nu,ber of ports)
- Policy (routed-in) on the SVI. Instead of writing an ACL, you write a class with match sequences and the policy will use drop action for the said match corresponding to a deny in the ACL.
To your point about what is missing on VLAN ACL, there is an implicit deny any any any at the end of any ACL. So you have to make sure that the traffic for different IP addresses of the given SVI is permitted before that implicit deny.