Can't write response response wrapped secret-id with adequate policy

I have configured a policy for an orchestrator/trusted entity to write a response wrapped secret-id to a given approle. I have verified the policy capabilities, but always get permission denied when attempting to write.

Any idea why I might be getting the 403?

/ # vault policy read pipeline-orchestrator
path "auth/approle/role/pipeline/secret-id" {
  capabilities = ["create","update"]
  min_wrapping_ttl = "100s"
  max_wrapping_ttl = "300s"
}
/ # vault login s.stgDjsYSyfRlJQ4MX4I2s4yk
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                s.stgDjsYSyfRlJQ4MX4I2s4yk
token_accessor       So8WQt0ZOVhecwwr34sPCWC7
token_duration       165h52m56s
token_renewable      true
token_policies       ["default" "pipeline-orchestrator"]
identity_policies    []
policies             ["default" "pipeline-orchestrator"]
/ # vault token capabilities auth/approle/role/pipeline/secret-id
create, update
/ # vault write -f -wrap-ttl=60s auth/approle/role/pipeline/secret-id
Error writing data to auth/approle/role/pipeline/secret-id: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/approle/role/pipeline/secret-id
Code: 403. Errors:

* 1 error occurred:
        * permission denied

Disregard! I found the problem. The -wrap-ttl value did not land between min_wrapping_ttl and max_wrapping_ttl values on the policy.