I ended up finding a decent solution to this problem myself.
Instead of using multiple virtual servers with multiple access policies, I consolidated everything down to one access policy and one virtual server.
The access policy's first step is to look at the requested hostname and branch off into the correct validation:
Advanced anonymous branch rule:
expr {
[mcget {session.server.network.name}] eq "anon1.mysite.com"
|| [mcget {session.server.network.name}] eq "anon2.mysite.com"
}
Advanced reporting branch rule:
expr {
[mcget {session.server.network.name}] eq "reporting.mysite.com"
}
...
Having the access policy validate the policy based on the hostname allows me to have a catch all style validation with a single virtual server.
Hope this helps someone else!