Correct way to require a jwt to access a workload from ingress

I’m trying to create an authorization policy (in Istio 1.17.3) that requires a jwt to access a particular workload for ingress traffic. I’m getting errors logged but it otherwise seems to work; I’m hoping someone can validate my approach, which uses the requestPrincipal to check the token.

Istiod continually logs an error telling me that:

error	authorization	skipped rule ns[test]-policy[httpbin-test]-rule[1]: 
request.auth.principal must not be used in TCP

Here’s my test authorization policy. I’m attempting to allow access from the sleep service with no token, but ingress (or anything originating from istio-system) requires a token:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin-test
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/test/sa/sleep
  - from:
    - source:
        namespaces:
        - istio-system
        requestPrincipals:
        - '*'
  selector:
    matchLabels:
      app: httpbin
      version: v1

Am I doing something wrong? Is there a preferred way to do this? I’m trying to apply the policy to the workload itself since there are other workloads which do not have this requirement. Clearly the rule is not being skipped in all cases since it’s working (and behaves very differently when I remove that rule).

Thanks for any input.