Thanks for responding, and good to know it’s working in the context of a rule!
I suppose I’d need to see the structure of the app_metadata, but that being said it seems like there could be a compatibility issue regarding legacy (authorization extension/rules) vs current (authorization core/actions). You can read more about Authorization Core vs. Authorization extension as well as the best practice to add roles to tokens using an Action:
https://auth0.com/docs/authorization/authorization-core-vs-authorization-extension
https://community.auth0.com/t/how-to-add-roles-and-permissions-to-the-id-token-using-actions/84506
Hope this helps if you decide to go that route 