TLDR: you can't use wildcards in Principals in IAM Policy Statements....

From what I understand, when you put in a principal in a IAM statement - behind the scenes, it translates that to the internal ID of the user/role. This is to prevent someone maliciously naming something similar to get access - we can argue if someone can create IAM users/roles, then you already have a pretty major issue.... This behavior is why you can't use wildcards in IAM Principals.