I wonder if it is possible to control the access to a smart card's PKCS11 interface with an on-card appleti think no. Actually your question is not clear. What does it mean "to control access to PKCS11 interface", why does anybody need it? It is possible to create applet which supports functions needed by PKCS11 such as store data, certificate, key objects and crypto operations. But applet is not enough. One needs also to create *.dll for windows or *.so for linux library which provides PKCS11 API for smart-card with the applet.
I think I read somewhere, that the PKCS11 interface is independent from the JVM running on the smart cardpkcs11 specification know nothing about JVM. It is API described in C language to work with tokens which are not mandatory java cards.
If it is not possible I also wonder if there is any way to create an strong auth token e.g. a certificate in a smart card appletwhy not, i do not know what is "strong auth" though.