[fcrepo-user] xacml policy to restrict OAI service

I'm trying to restrict OAI access to certain objects using the policy below (stored as a referenced
datastream). It has the intended effect re API-A, but is permitting OAI requests.

(As in, ...fedora/oai?verb=GetRecord&identifier=oai:example.org:1711.dl:XTA6NVZWV6UTA8K&metadataPrefix=oai_dc)

Thinking the default oai policy may be overriding the object's policy, I've tried both removing the
default policy and editing it in place so that the Rule Effect attribute is set to "Deny." No difference.

$FEDORA_HOME/server/fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/permit-oai-unrestricted.xml

Each time I restarted fedora and even reloaded policies for good measure. Am I missing something obvious?
Thanks for any perspective.
-Brian

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="PolicyEmbargo" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
  <Description>Policy for embargoed objects.</Description>
  <Target>
    <Subjects>
      <AnySubject></AnySubject>
    </Subjects>
    <Resources>
      <AnyResource></AnyResource>
    </Resources>
    <Actions>
      <Action>
        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-oai</AttributeValue>
          <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"></ActionAttributeDesignator>
        </ActionMatch>
      </Action>