Admin policy with asterisk and deny to create token

Hello. i have admin policy like this:

path "*" {
        capabilities = ["list","read","create","update","delete","sudo"]
}

Root token revoked.
Default policy not modificated.

I login and try to create token

vault login <token>

Key                    Value
---                    -----
token                  <token>
token_accessor         <token_accessor>
token_duration         11h59m50s
token_renewable        true
token_policies         ["admin" " "default"]
identity_policies      []
policies               ["admin" " "default"]
token_meta_username    user

First scenario:

vault token create -orphan=true -policy=admin -no-default-policy

Error creating token: Error making API request.

URL: POST https://vault.example.com/v1/auth/token/create
Code: 400. Errors:

* root or sudo privileges required to create orphan token

Second scenario:

vault token create -orphan=true -policy=test-certificate
Error creating token: Error making API request.

URL: POST https://vault.example.com/v1/auth/token/create
Code: 400. Errors:

* child policies must be subset of parent

Why it’s happening? In my admin policy (with asterics) i have all permission.

If I explicit add this path in admin policy all wiil work correct.

path "auth/token/create" {
        capabilities = ["create","sudo"]
}

What is the output of:
$ vault token capabilities auth/token/create

Ie:
create, delete, list, read, sudo, update