I would recommend separation of those applications into respective sub-accounts. The hierarchy can be defined in AWS Organizations and you avoid resource overlapping of any kind.
All these applications use the same backend and what not. This makes it easier to share access / permissions vis security groups and IAM role. Its actually separated quite well, just rediculous that if I try to destroy an environment I can't.