Filter Script for members of AD-only Group

I need to target a deployment at devices that are members of a specific on-premises Security Group (non-hybrid-joined).
It should be possible to write a function similar to Get-ImmyADComputer to ask a DC in the org for the group memberships of a particular computer, then call this in an inventory script that only executes for AD-joined machines, and finally write a filter script to target a particular group name.
Anyone already built a solution for this, or is there a built-in way to achieve the same objective that I’m missing?

I got this working using the method I outlined. Glad to share with anyone trying to solve the same problem.