Your problem is not adding a AP to your lan it is adding a new wireless network that allows only internet. You want the new network to talk to your internet router but not to your lan.

You will need a more advanced router that can support multiple inside connection. Most the time this is done with AP or routers that are designed to advertise 2 SSID and assign them to different networks. These features are why commercial grade equipment cost much more.

You may be able to make this work somewhat securely by placing a second router behind your main router and then set a restriction to only allow traffic between this second router and your main router but not to any other PC behind the main router.

A 2 router setup is difficult enough but is your cheapest option