Which token are you using when running this command?
I ask because that token will need agent:write permissions for the node in order to update and persist the token across restarts (see permission requirements under Agent HTTP API - Update ACL Tokens), and I didn’t see this permission specified in the policy you previously shared.