These elements (columns) cannot be bound into JDBC which is why this mechanism will not support them as parameterized. There are two options to do this safely - ideally you should use both:
Validate the columns in these via positive / whitelist validation. Each column name should be checked for existence in the associated tables or against a positive list of characters (which you have done)
You should enquote each column name - adding single quotes around the columns. If you do this, you need to be careful to validate there are no quotes in the name, and error out or escape any quotes. You also need to be aware that adding quotes may make the name case sensitive in many databases.
The second is important because characters can sometimes be used to end a column and add a SQL injection. I believe the current characters are safe but you want to future proof this against someone adding to the list.
Within your function is would be better (as @juliane mentions) to return the value in your validation function. That will allow you to mark the return value as "sanitized" for SQL injection purposes in many code checking tools. Snyk seems to allow you do this with custom santizers but I couldn't track down a lot of documentation on how to do this. The benifit here is that everywhere you use this validation function would then be automatically recognized by Snyk.