Exim ACL's are ran before the actual command is completed, but after the command syntax is verified.
For example for AUTH PLAIN, EXIM first checks if the the data is in correct Base64 and after that it runs the defined ACL. If the ACL accepts the AUTH it is processed.