Thx Sacha,
First thing to note: That worked - you were correct
Second thing to note: The service does force you to have at least one authentication-source. It won't allow zero sources. Therefore, I used the endpoints database as the authentication source. I removed/deleted all endpoints and tested again. Even though the device rebooted, hit the CPPM mac-auth service and wasn't in the endpoint database, it still did a successful authentication due to the "allow all" authentication method. Then, the COA rule was applied also using Endpoints database in the authorization tab and the device was placed into the new vlan.