This is how it works for me:
WIFI_SSID="test-ap"
WIFI_PSK="12345678"
sudo nmcli connection add \
connection.id ap \
type bridge \
ifname br0 \
bridge.stp no
sudo nmcli connection add \
connection.id lan \
type ethernet \
master br0
sudo nmcli connection add \
connection.id wlan \
type wifi \
master br0 \
wifi.mode ap \
wifi.ssid "${WIFI_SSID}" \
wifi-sec.pairwise ccmp \
wifi-sec.key-mgmt wpa-psk \
wifi-sec.psk "${WIFI_PSK}"
sudo nmcli connection up ap
sudo nmcli connection up lan
sudo nmcli connection up wlan
Be sure to disable/remove other connections to avoid race conditions.