Using PermissionChecker annotation should help: https://quarkus.io/guides/security-authorize-web-endpoints-reference#permission-checker.

Using custom HTTP policies should also work though, please open a Quarkus issue with more details for us to have a look. In general, if one needs to make a remote call from the custom HTTP policy it should be run using Uni or using a blocking context.