When you configure an SSID on the MSM controller, there are check boxes in Global - use controller for: authentication and access control.
When only Authentication is checked, the controller tells the the AP to allow traffic on the local switch port it is connected to. Your radius server must tell the AP which VLAN to use for that user. The AP & switch must have that VLAN configured. When authenticated, user traffic goes from the AP to the switch to the network. DHCP requests go to the router or DHCP server on that VLAN.
When access control is also checked the traffic is routed back to the controller through a secure tunnel, then sent to the network from the controller's LAN port. Then out the egress VLAN configured on this port.
To use the egress network setting on the controller, you have to check both. You may have to use the DHCP server option on the controller as well, because not sure if it relays DHCP requests.
If you used the option to set egress network then you had both checked, so your traffic went back to the controller, not through the switch, so not setting VLAN64 on the switch had no effect.
Been a while since I configured my MSM network - I only use the AC mode for guest networks so they would not see my DHCP server anyway