Istio Policy custom oauth2 token

I have been facing a problem with a Policy which has no effect on the project,
i case i have an application for oauth2 token that is pointed on the policy of another application to use that, there is no effect at it, i can reach the api’s without token , here is the project https://github.com/jamesmedice/Istio-Rbac-Policy-Mesh

Can you share the detailed steps for reproducing the issue?

sure,
here is the project : https://github.com/jamesmedice/Istio-Rbac-Policy-Mesh ,
in case i have these components : deployment, service, VirtualService and a Policy,
the policy points to an endpoint on the same cluster, which is a spring security oauth token api,
once i try to reach the url, without token, i can access normally