Disabling ext_authz per route doesn't work

Hi. I’m trying to apply envoy filter (ext_authz), the thing is i need to exclude one (or several endpoints) to be protected by authz service. The filter works in the main, but exceptions i want - doesn’t. There are not much examples and official documentation doesn’t help much.

Here is my configuration (applying it via kubectl):

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ext-authz
  namespace: hsbc-shpe-authz-sct
spec:
  workloadLabels:
    app.kubernetes.io/instance: sct-protected-service
  filters:
    - filterConfig:
        http_service:
          server_uri:
            uri: http://authz-app.namestace.svc.cluster.local
            cluster: outbound|80||authz-app.namestace.svc.cluster.local
            timeout: 1s
            failure_mode_allow: false
          path_prefix: "/auth"
          include_peer_certificate: true
        route_config:
          name: local_route
          virtual_hosts:
          - name: local_service
            domains: ["*"]
            per_filter_config:
              envoy.ext_authz:
                check_settings:
                  context_extensions:
                    virtual_host: local_service
            routes:
              - match:
                  prefix: "/health"
                per_filter_config:
                  envoy.ext_authz:
                    disabled: true
                route:
                  cluster: outbound|80||protected-service.namespace.svc.cluster.local
              - match:
                  prefix: "/health"
                  per_filter_config:
                    envoy.ext_authz:
                      disabled: true
                  route:
                    cluster: outbound|8080||protected-service.namespace.svc.cluster.local
              - match:
                  prefix: "/"
                route:
                  cluster: outbound|80||protected-service.namespace.svc.cluster.local
      listenerMatch:
        listenerType: SIDECAR_INBOUND
        listenerProtocol: HTTP
      filterType: HTTP
      filterName: envoy.ext_authz

I was looking into " config.filter.http.ext_authz.v2.ExtAuthzPerRoute" but don’t know how toadd this into yaml (which section) and what “check_settings” can be in my case. Ideally i want to allow GET method to /health endpoint to be unprotected. Really easy requirement i stuck with.
I want to do it by applying envoy filter in a separate yaml, not “ConfigMap -> filter chain” if it is possible.