Can't Do Country-based authentication requirement?

I have a tunnel setup and configured a couple public hostnames for this tunnel to access apps on my NAS.
I next setup Google authentication.
At first nothing happened: turns out you also have to set up an app that corresponds to the public hostnames used to access the NAS apps.
For that app you configure authentication to use Google - that all works fine.

The issue is when I try to configure the authentication rules for the app to do more than just restrict to my desired google emails:
In Configure Rules I have INCLUDE - Selector: EMails - Value= my desired emails.
But if I then click “+Add require” and try to use Selector: Country, Value=my country + neighbouring country (two entries only): then I get Cloudflare Access Forbidden error (“Click to view details” shows a 403 status).

I have no VPN running, I am in the specified country, so why does this get restricted?