How to debug "enforced denied, matched policy default-deny-all-due-to-bad-CUSTOM-action"?

In trying to explore using an external authorization provider (using an AuthorizationPolicy with an action value of CUSTOM, and corresponding provider configuration there and in Istio’s meshConfig), my service’s Istio/Envoy sidecar logs message like this:

... debug envoy rbac enforced denied, matched policy default-deny-all-due-to-bad-CUSTOM-action

How do I investigate what’s wrong? What’s bad about my action value of CUSTOM, or what’s going wrong in Istio/Envoy’s attempt to call my custom authorization provider?

(Istio/Envoy doesn’t seem to log anything about its attempt to call my envoyExtAuthzHttp provider, which is an OAuth2-Proxy service, and OAuth2-Proxy’s container’s log doesn’t seem to show any activity after startup.)

(I found the source of the string default-deny-all-due-to-bad-CUSTOM-action in some source, but can’t tell where it’s used or what condition causes it be used.)

Bueller? Bueller?

Or anybody?

I would recommend you look in your Istiod logs, there will likely be some more detailed logging on what the issue is. I received this error not too long ago, found the issue straight away via Istiod