If you NICs on the Server are setup to route the traffic properly you can create a setup like this. Specifically this setup was used to monitor two different networks with a single Orion instance in my case; where each NIC connected to the two different networks and traffic was routed accordingly between the two Server NICs.
This should be doable to isolate your server - sql connection, but your NICs on the box need to be setup so that device & user subnets comes in/out over vlan 101 mapped interface and the DB connection flows over the vlan 201 mapped interface.
The APE would need to be configured the same way somewhat. Where vlan 201 is needed for your DB and Primary Server connections; but the other NIC can be on whatever vlan is used for user/web and device traffic.
If proper traffic direction is in place then you should be able to make this work. I would want to set this up with a new deployment - or migration. But it does seem possible to also change an existing setup to work this way.
Loop1 Systems: SolarWinds Training and Professional Services