@GregVLAN 

If you have the full Omada stack (managed router and managed poe switch), then you could put the AP(s) on a tagged management VLAN and create rules to block traffic except from known MACs. 

You could also create a dummy default VLAN which would be untagged on this port and whose DHCP settings would be nonsensical and maybe throw in a Policy Route to send any traffic with an IP on the dummy VLAN to a WAN port that isn't connected to anything (make sure you don't enable failover and test before going to production).  Problem is, anyone with time and patience may eventually figure out your other VLANs and configure their device to join those.

I don't know how many clients you have on the rest of the network, but creating MAC groups and applying rules may also be of interest.

If you don't care, you can always expoy the network cable to the AP body, or otherwise securely fix it to the AP body to prevent easy removal.

Penetrate the wall/building envelope as close to the AP as possible to reduce the amount of cable your perp has to play with.  If you are really paranoid, you could use a short cable initially and remove the RJ45 connector's locking tab on the indoor end, and use an inline CAT6 bulkhead splice, any serious mechanical tug will then pull the cable out of the cable joiner, mechanically disconneting the cable.  One would require access to the inside of the building to reconnect.