Ah, that was it! I had done everything exactly as you described, but in your screenshot of Step 6 I noticed you also have another context permission – “web” with minimum role Member 9999 and access policy Context. That’s what was missing!
Seems to be working now 
Many thanks for your patience! 