I *think* the issue was DNS - the AP22 defaults to using CloudFlare DNS servers, but my firewall blocks DNS bypass and and only allows DNS queries to the one provided by DHCP. Setting this in Device->Access Details and then the "..." menu DNS lets you select "DHCP" assigned DNS.That it defaults to something other DHCP assigned is really bad - I expect it has to do with the default "content classification" setting? Which I also strongly dislike.
In the web portal for DNS click into inventory and then click the cogwheel on the right had site and then select DNS and make your changes. For DPI click on applications then click on the cogwheel and select Application activity summary to turn off DPI.