Yes, on a VLAN for each network.
If it's highly sensitive or for compliance, separate switches are needed for these networks to avoid vlan hopping or misconfigured switches that allow access to restricted network assets. Normally it's not needed though.
A separate firewall also sounds like it's not needed unless you have some serious security concerns.
ZeroTier doesn't sound like the best tool for the job though.
Something like OpenVPN with certificates and perhaps with added OTP is much better suited.
You want to give access to people on a time-limited basis. Certificates have expiration so that is great. OTP ensures that knowing passwords and having a certificate is not enough.
When clients log in they are put in a specific IP and you control their network access to their VLANs through your firewall's rules..
That way you have something that can grow. VPN provides access and security is handled in your firewall.
If you want something hosted (like ZeroTier is), I'd look into Cloudflare Access. They use wireguard for the VPN access and their network controls access.