I believe it works this way: The SecurityProxy that you write as part of the AOP should implement the org.jboss.security.SecurityProxy interface, which requires that you implement a setEJBContext() method. JBoss will call this method prior to the invoke() of EJB method. Then you will have the SessionContext as an instance variable and can get the principal from it and use it in whatever validation code you write.
There is an internal thread local that contains the associated security context. The jboss aop framework has integration points with this. What is the aop configuration your using?