Authorization policy for namespace other than istio-system

I have the below AuthorizationPolicy which works fine if applied on istio-system namespace, where as doesn’t get applied if targeted to particular namespace.

The below policy works

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: awesome-app
  namespace: istio-system
spec:
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules:
  - to:
    - operation:
        hosts:
        - my-awesome-app.com
  selector:
    matchLabels:
      istio: ingressgateway

This below doesn’t work - only change is namespace

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: awesome-app
  namespace: awesome-app-namespace
spec:
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules:
  - to:
    - operation:
        hosts:
        - my-awesome-app.com
  selector:
    matchLabels:
      app: awesome-app

Tried by removing all the selector and rules and I would assume this policy will be applied to all the requests if no rules are specified as show below.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: awesome-app
  namespace: awesome-app-namespace
spec:
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules: []

The above policy is not working as expected.

Any help or guidance is appretiated.