I asked this question on TechNet as well, so for anyone that is interested in my solution that I'm using - here it is:

$ACLs = get-acl $Folder.FullName |
ForEach-Object {$_.Access} |
Where {$_.IdentityReference -notlike "*S-1-5*" -and (dsquery group -samid $_.IdentityReference.Value.Split("\")[1])}

That worked to only return the 'group' AD items.

You can't get the info your looking for directly from the IdentityReference, but if you throw some logic at it (not unlike the direction you were already heading to filter out the SID accounts), you can narrow it down to just AD objects.

(Get-Acl -Path $Folder.FullName | ForEach-Object {
  [string]$Identity = $_.IdentityReference
  if ($Identity -like '*\*' -and $Identity -notlike 'BUILTIN*' -and $Identity -notlike 'NT AUTHORITY*') {
    $SamAccountName = $Indentity.Split('\')[1]
    $ADObject = Get-ADObject -Filter ('SamAccountName -eq "{0}"' -f $SamAccountName)
    if ($ADObject.ObjectClass -eq 'group') {
      $Identity
    }
  }
}

The bulk of the work here is done by that "if" statement. Testing for a backslash ensures that the object is part of a domain of some sort (local or AD or otherwise). It then throws out the local domains I was seeing in my testing.

In my case this was enough to ensure I was always getting AD objects, whether they be users or groups, and after that it's pretty simple to get the ADObject and test its object class.

If you're going to be doing this in an environment with only one domain, you could change the if statement to look for that alone, which would cut down the number of test cases, e.g.:

if ($Identity -like 'test.domain.com\*)

You could also take this further and get the actual ADGroup object, etc.