Mosquitto: Allow only certain users on specific listeners

I have been using CloudMQTT for things like OwnTracks and more recently, Zanzito. This works OK, but I really want to cut out the middle man. I am aware this means opening an additional port and what comes with that.

I have successfully setup the TLS/SSL listener with my LetsEncrypt certificates and can get Zanzito to connect to it OK.

Is it possible to create a new mosquitto user and only allow that user to connect via the TLS/SSL listener? I want to leave the in network listener setup with basic username/password authentication, and then have a more complex password for the external connections. I have read through a lot of mosquitto documentation and forum posts, but am not sure what to do. This is probably just me not understanding Mosquitto enough. Here are my listener configurations. Everything else is default in the config file. I have one user setup.

# Port to use for the default listener.
port 1883
listener 9001
protocol websockets

# MQTT over TLS/SSL
listener 8883
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
certfile /etc/letsencrypt/live/xxxxx.duckdns.org/fullchain.pem
keyfile /etc/letsencrypt/live/xxxx.duckdns.org/privkey.pem

Any help here is appreciated.