yes, it is possible. I couldn't find it right now, but there is a checkbox somewhere in the QMC - or maybe in the document_properties - to "restrict visibility based on Section_Access". That means that persons who you haven't specified in your SA to have access to the document cannot see it on AccessPoint.
it is strange that your user is able to access an app that he/she does not actually have a license for - should be impossible.
Anyway - look up the Section_Access. You can give ADMIN or USER access to an app to specific users, e.g. using their NTNAME (PC logon) - other persons that you haven't specified there will not be able to open the app, although they might have a license for it.
OK now let me explain with example.
Say I have two Applications 1. Sales and 2. Inventory.
Now I have 3 Users, Say User1, User2 and User3.
The Authorization is as follows.
User1 -> only Sales
User2 -> only Inventory
User3 -> Both.
Now what I will do first is Assign the Document CAL's to the users and document.
What will happen in this scenario is All users will see all applications, but when they click on the application, the application will open only if that user has proper license.
Now requirement is User should see the application which they are authorized to.
Due to the Windows Security, "Users" group will be included in the security of the file.
What needs to be done is, remove the Users Group from security. And Add the users who are authorized to see the application.
So in our example
1. Sales application will have User1 and User3 included in security Tab.
2. Inventory application will have User2 and User3 included security Tab.
So User1 will see only Sales application, User2 will only Inventory and User3 will see both applications.