Also, you’re missing the test/metadata/* path with list and, optionally, read capabilities. This is needed for listing folder contents.
Also, Vault does not support Access-Based-Enumeration - meaning if you have access to list contents of a folder you can see the existence of all items in that folder (but unless explicitly granted the right to read, will not be able to read the content). However, if you only have access to view the contents of a secret (and not access to list the folder) you will not be able to enumerate the contents of the folder but rather you would need to know and provide the full path to see the contents.
Policies can be a bit tricky at first, but continue to experiment to get a better understanding of how they work. KVv2 policies add an additional layer to standard ACLs and you’ll need to account for the additional paths utilized in this engine type.