Getting permission denied when using root ca to sign intermediate ca

We have a root ca vault that we use to sign the csr of an aws acm pca. The server (iam arn: arn:aws:iam::<account#>:role/myserver) we use to run these commands have an iam role that is bound to a vault policy in root ca vault:

sh-4.2$ vault read auth/aws/role/myserver
Key                               Value
---                               -----
allow_instance_migration          false
auth_type                         iam
bound_account_id                  []
bound_ami_id                      []
bound_ec2_instance_id             <nil>
bound_iam_instance_profile_arn    []
bound_iam_principal_arn           [arn:aws:iam::<account#>:role/myserver]
bound_iam_principal_id            [AROAJH2DIPEXDIZSZOSDE]
bound_iam_role_arn                []
bound_region                      []
bound_subnet_id                   []
bound_vpc_id                      []
disallow_reauthentication         false
inferred_aws_region               n/a
inferred_entity_type              n/a
max_ttl                           0s
period                            12h
policies                          [my-pol]
resolve_aws_unique_ids            true
role_tag                          n/a
ttl                               0s

The vault policy for myserver iam role is:

sh-4.2$ vault policy read my-pol
path "pki/root/sign-intermediate" {
  capabilities = ["create"]

When I hit the vault api to sign my csr, I get the following error:

$ vault write pki/root/sign-intermediate csr="${acm_pca_csr}" ttl=131400h format=pem_bundle
Error writing data to pki/root/sign-intermediate: Error making API request.

Code: 403. Errors:

* 1 error occurred:
        * permission denied

I’m thinking maybe my vault policy is not configured correctly for this op. However, I’m not sure how I can fix this.