I see nothing wrong with the general approach, but since you haven’t shared the exact details of the API calls you are trying to make, or the exact details of the errors returned, it is difficult to be helpful.
When I access the kv2 read metadata api endpoint in my setup, with the only difference being in the policy mentioned above, the read either succeeds with the general policy, or fails with a 403 error with the “metadata” only policy.
Ah, that sounds familiar. The logic that Vault uses to determine which is the “most specific” policy path rule is weird. I actually think there’s a case for calling it defective. For example, a rule for any of these:
would be considered “more specific” than the rule for engines/+/metadata/apath/* and would override it.