RBAC in two applications under same tenant


I have a shared api between a client facing and an internal application. The user pool includes both external and internal users. Internal users should be able to access both applications but external users should only be able to access the client application. Is there a way to enable RBAC on the application side (can’t see any settings not relating to the api) so that external users can’t login to the internal app whithout checks built in to the app code itself (using the roles in the token post login).