Unable to create token due to policy issues

I am trying to create a token using the following script

createAppToken() {
	local client_token=$(jq -r '.auth.client_token' < '/vault/scripts/login-response.json') 

	local payload='{"policies":["read-only-policy"],"no_default_policy":"true","ttl":"10h","explicit_max_ttl":"10h","renewable":"true","no_parent":"true","role_name":"anarcy-role","meta":{"owner": "main"}}'
	
	curl --request POST -H "X-Vault-Token: $client_token" --data "$payload" http://vault-server:8200/v1/auth/token/create > '/vault/scripts/token-response.json'
	
	local token=$(jq -r '.auth.client_token' < '/vault/scripts/token-response.json')
		
	echo $(curl --request POST -H "X-Vault-Token: $token"  http://vault-server:8200/v1/auth/token/lookup-self) | jq .
}

the read-only-policy policy with which this token is to be created is is based on the following policy.hcl file

path "kv-v2/wall-e/*" {
    capabilities = ["create", "read", "list"]
}

the ‘client_token’ is obtained based on the following login request

curl --request POST --data ""{\"role_id\":\"$role_id\", \"secret_id\":\"$secret_id\"}"" http://vault-server:8200/v1/auth/approle/login

the role for the credentials is

local payload='{"token_policies": ["main-policy"], "token_type": "service", "token_ttl": "10h", "token_max_ttl": "10h"}'
	
curl --request POST --header "X-Vault-Token: $root_token" --data "$payload" http://vault-server:8200/v1/auth/approle/role/main-role

and the policy which this role is based is the following

path "cubbyhole/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "kv-v2/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/sys/capabilities-self" {
    capabilities = ["read", "list"]
}

path "/sys/capabilities/acl/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/sys/health" {
    capabilities = ["read"]
}

path "/sys/in-flight-req" {
    capabilities = ["read"]
}

path "/sys/internal/specs/openapi" {
    capabilities = ["read"]
}

path "/sys/internal/ui/namespaces" {
    capabilities = ["read"]
}

path "/sys/ha-status" {
    capabilities = ["read"]
}

path "/sys/leases" {
    capabilities = ["read"]
}

path "/sys/metrics" {
    capabilities = ["read"]
}

path "/sys/monitor" {
    capabilities = ["read"]
}

path "/sys/namespaces" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/sys/policies/acl/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/sys/well-known" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/create" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/create-orphan" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/create/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/lookup" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/lookup-self" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/renew" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/renew-self" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/revoke" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/revoke-self" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/roles" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/token/roles/*" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

path "/auth/approle/role" {
    capabilities = ["create", "read", "update", "delete", "list", "patch"]
}

Getthig this error

Error creating token: child policies must be subset of parent

Typically, a parent can only grant policies that are a subset of its own policies. So if the parent token has “main-policy”, it can only grant “main-policy” to its child tokens.

In order to allow a parent to grant policies that are not a subset of its own, your policy needs to add “sudo” capabilities on path “auth/token/create”.

This level of permission should be given carefully (hence the need for sudo). Maybe look at parameter constraints to apply restrictions if that is a concern.