For gateways in the same management domain, you can't prevent them from authenticating, only passing traffic. To prevent authentications, you'll need to have an additional authentication tier, such as RADIUS, which can filter the incoming request with the authorized users.
However, there's debate about the correctness of using multiple Remote Access communities. This would allow you to do what you want. I have a customer who has multiple RA communities defined and it seems to work for them (R81.10 management at the time, and R81.10 gateways). I can't find official documentation stating that it works, but you can configure it in SmartConsole and try it.
If you have R81.10 management AND R81.10 gateways or higher, you can try this:
Go to your object list, select VPN communities, right-click on the existing RA community (this is the only way it works; don't click "New" button or right-click anywhere else; you must right-click on the existing community). In the fly-out menu, you then have an New option and can configure a new RA community.
Create two RA communities (or re-use the existing one and rename it), RA_1 and RA_2.
In RA_1, add gw1 as gateway and LDAP_Group_1 as the participating users.
In RA_2, add gw2 as gateway and LDAP_Group_2 as the participating users.
You still want to use access roles in your policy to control traffic through the gateways. Don't use "GW1" or "GW2" as "destination" column; this will never match what you want. Be sure to test this as heavy as you can; don't assume the first test is a satisfactory match. Test this many MANY times!
There's no guarantee this will work, however. If your management, and your gateways, are less than R81.10, then this is almost certain to fail.
Good luck!