I think the problem is that you are trying to give states:StartExecution permission to the state machine but when SAM tries to resolve the state machine arn, it points to itself, but the arn doesn't exist yet.

You can try a fixed approach if you know the state machine name, something like:

action: "states:StartExecution"
resource: "arn:aws:states:<region>:<account>:stateMachine:<state-machine-name>"

Instead of using the !GetAtt