Hi,
According to your issue, here're my suggestions:
To achieve 'Always On VPN separate IP pools per user group',the network devices should support VLAN feature. Then we can set RADIUS server with specifying user group and the compounding VLAN ID in network policy. It will automatically assign the port that computer connects with into the VLAN base on the ID we specified in policy and obtain the address where issued form the DHCP server.
However, the environment in AWS don't support VLAN. It seems that you should switch to an environment which support VLAN feature to achieve this purpose or use other third-party application such as Cisco as you mentioned.
The following links are case similar to your issue, you can refer to:
https://social.technet.microsoft.com/Forums/en-US/420c26c7-79c4-44e9-b6e1-d386fb0d022f/remote-access-separate-ip-pools-per-user-group?forum=winserverNIS
https://social.technet.microsoft.com/Forums/en-US/0a45e460-5284-4517-b772-9c99d4b8380c/can-dhcp-scopes-selected-based-on-users-ou-or-any-other-attribute-of-the-user-account?forum=winserverNIS
-------If my answer is helpful to you, please remember to mark them as answer. Thank you!------
Regards
Gloria