Comment 8 for bug 1850656

> It either ends up having Client Error with admin-project-scoped auth or 401 with supposedly defalt-domain-scoped auth.

The scope_type for identity:create_endpoint is "system": https://docs.openstack.org/keystone/latest/configuration/policy.html

So neither a project- nor domain-scoped token will be usable with this policy if enforce_scope is set to true. You either need a system-scoped token or you need to set enforce_scope=false (which is the default).