Interesting question. I don't think there's a great way of setting up a dynamic wild card match like you want.
Tried it out on my end as well and can't seem to get it going with different syntax checks.
What I would suggest instead is to restructure the custom properties a little instead.
Maybe use one custom property, AccessCode, and assign it to both apps and users and then just match ABC to ABC.
This should give you a baseline app grouping and matching to users. Combined with Streams you already have pretty good segmentation options.
Assign a second custom property allows for another level of segmentation, down to individual apps for example. Maybe call this property AppAccessCode with values ABC123 and ABC456. Tag this custom property to both users and apps as well and have a second security rule that matches app access for when users and apps have matching values for this custom property.
Your AccessCode Custom Property will provide app access on a more "aggregated" level while the AppAccessCode will provide app access on a more "granular" level.
I was trying to avoid the creation of additional codes on the user, as that is being administered elsewhere and if I could use the single codes we already have then it would make things much simpler.
What i am actually trying to do is have an app with ABC access which has several content libraries accessible from it, hence ABC123 and ABC456. We could then have another app with DEF and corresponding DEF123 and DEF456 content libraries.
It looks like I might have to look at a way of automatically splitting out the ABC into a new additional user property before it passes to Qlik. Then everything else should fall into place.