When a request is blocked by a service policy, and has the content-type set to application/grpc, an HTTP 200 is sent back with grpc-status: 7. This is technically correct according to the gRPC spec, but causes confusion when looking for 403 block responses.

Additionally, this behavior breaks API discovery by causing Discovery to learn invalid "APIs" based off 200 responses.

Old issue open with Envoy: https://github.com/envoyproxy/envoy/issues/11079