If your vlans and your ip addressing follow similar boundaries, then I think it might be easiest to use the ip addresses to control the access.
For example:
vlan 100 = 10.100.x.y
vlan 101 = 10.101.x.y
or even
vlan 100 = 10.100.x.[100-119]
vlan 101 = 10.100.x.[120-140]
Web servers don't have access to the vlan id from the packet.
You'd then need to craft your web server rules to do things based on the client ip.
====
EDITED: What about just rewriting the dst ip address from the specific vlans to a an extra interface that can do the layer7 rewriting that you want done? It should be invisible to the end user (as long as that filter stays up). Using iptables to modify layer7 data seems expensive.