Complete USB device isolation?

Is there a way to completely isolate usb devices so they are each sent only to the appropriate container, at the moment i have 2 identical devices connected each needs to be connected to a separate container, after some searching i found that i needed to pass the devices by their bus/dev ID as --device=/dev/bus/usb/xxx/xxx but i still get an error on the second process saying “cannot open, device or resource busy”

the strangest part is that when i tested it last night it was working, both devices were receiving with no issue yet today it simply wont work. since then ive attempted to run the docker start processes as different users each with the device in /dev/bus/usb/xxx/ chowned to that user but still i get the error.

im sure its something really simple i must be missing as sandboxing devices should be possible surely

OS: Ubuntu 18.04 x64
Systems: Lenovo X1 carbon 2018, custom built PC on Asus H110 Mainboard