Roles was the only difference and was attempting to use that. Went ahead and defined "Designation" for each of the teo different user types. Set up the rules to reference those in the enforcement but still authenticating incorrectly.
Service TACACS F5 Admin
Service policy points to device group (all F5)
Enforcement points to policy that specifcies localuser designation = X
Service TACACS F5 App
Service policy points to device group (app F5)
Enforcement points to policy that specifcies localuser designation = Y
If service TACACS F5 Admin is ordered first all users auth as Admins
If Service TACACS F5 App is ordered first all users auth as Operators
So the Enforcement policies are setting the correct roles, just not honoring the enforcement criteria.