Sorry for the delayed response.
I did more digging on this, and found this from the doc:
As long as RBAC is enabled, the
scopeclaim of the access token includes an intersection of the requested permissions and the permissions assigned to the user, regardless of whether permissions are also included in the access token.
If the user does not have the permission withdraw:funds assigned to them, then it wont show up in the token.