As far as I can tell, this is not currently possible. I've spent a few days now tinkering with every request type for access packages, and fiddling with the JSON to send every possible concoction I can think of, and it always bypasses the approval process defined on the policy.