Thanks for responding, and good to know it’s working in the context of a rule!
I suppose I’d need to see the structure of the app_metadata, but that being said it seems like there could be a compatibility issue regarding legacy (authorization extension/rules) vs current (authorization core/actions). You can read more about Authorization Core vs. Authorization extension as well as the best practice to add roles to tokens using an Action:
