I've not used AIX, but do not think it is possible.
You can use the hosts.allow/hosts.deny if your SSH has tcp_wrappers to deny based on IP.
If sshd with tcp_wrappers handles the user@ip,
The other issue is that deny supersedes allows such that an entry in Allow userok@ip_good will be ignored because of the entry in DENY: sshd:userok@*
I've not tested whether username@ is even an option which seems rather problemativ as it will be a nightmare to track down. i.e. user is active everywhere except the user can not connect.