Yes, input that doesn't follow the implied contract of the endpoint is "something perceived to be a client error", and should return 400.
The exceptions to this is if the business rule is security related (then 401 Unauthorized or 403 Forbidden would be better). Alternatively, if sending a 400 would leak information about something's existence, and then a 404 Not Found may be more appropriate.
