For historical record reference and after confirming with the technician, the resolution on this ended up being when using an OIDC login flow you have to add the roles/perms as a custom claim in a separate rule that runs after the authorization extension rule. The extension can only add the roles to the token when the application is a non-oidc conformant app.