Perhaps your radius is returning a role as a VSA which overrides the derivation rule, you can check it using the steps below.
The captures below are from a a derivation rule that applies role=derived-role due to an ap-name match (same as you have). But the radius is also returning Aruba-User-Role VSA with role=authenticated
(7005) #show aaa debug role user ip 192.168.1.20
Role Derivation History
=======================
0: l2 role->logon, mac user created
1: l2 role->derived-role, handle_sta_up_dn: setting l2 role for user attributes
2: l2 role->authenticated, station Authenticated with auth type: 802.1x
(7005) #
The UDR can be seen to be applied early from the security debug, this happens before the dot1x auth starts
Dec 6 11:21:34 :124086: <4414> <DBUG> |authmgr| Create macuser 0x0xf8c3c4 and user 0x0x14ec8bc.
Dec 6 11:21:34 :124093: <4414> <DBUG> |authmgr| Called mac_station_new() for mac 84:38:38:00:00:00.
Dec 6 11:21:34 :124103: <4414> <DBUG> |authmgr| Setting user 84:38:38:00:00:00 aaa profile to radcp, reason: ncfg_set_aaa_profile_defaults.
Dec 6 11:21:34 :124209: <4414> <DBUG> |authmgr| handle_sta_up_dn:2828 Updating vlan usage for MAC=84:38:38:00:00:00 with vlan 1 apname ap325
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| Matching `user' rules to derive role ...
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| location 'equals' ap325
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| rule: set role condition location equals "ap325" set-value derived
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| match_rule Value Pair to match bssid : 80:8d:b7:22:22:22
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| match_rule Value Pair to match location : ap325
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| Matching `user' rules to derive vlan ...
Dec 6 11:21:34 :124004: <4414> <DBUG> |authmgr| location 'equals' ap325
Dec 6 11:21:34 :124105: <4414> <DBUG> |authmgr| MM: mac=84:38:38:00:00:00, state=4, name=, role=derived-role, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1. <<<<<<<
Dec 6 11:21:34 :124004: <3806> <DBUG> |authmgr| Select server for method=802.1x, user=test1, essid=dot1x-vlan, server-group=cppm, last_srv <>
Dec 6 11:21:34 :124038: <3806> <INFO> |authmgr| Selected server cppm for method=802.1x; user=test1, essid=dot1x, domain=<>, server-group=cppm
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_server.c:2326] Sending radius request to cppm:192.168.1.220:1812 id:58,len:188
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_server.c:2342] User-Name: test1
but then later the radius sends back a Aruba-User-Role VSA, which overrides the UDR
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_request.c:40] Del Request: id=66, srv=192.168.1.220, fd=84
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_api.c:1211] Authentication Successful
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_api.c:1213] RADIUS RESPONSE ATTRIBUTES:
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_api.c:1228] {Aruba} Aruba-User-Role: authenticated <<<<<<
Dec 6 11:21:34 :121031: <3806> <DBUG> |authmgr| |aaa| [rc_api.c:1228] {Microsoft} MS-MPPE-Recv-Key: \242\246o-\256\2724,\261\227\025\340h\020\365&\365`\030\026\033\206#\351a\004\3501\234\355\225&P\004\021LP\030\254\324t\274\240Mf_\365\011\014Z
Dec 6 11:21:34 :124004: <3806> <DBUG> |authmgr| user_download: User N/A Router Acl(0)
Dec 6 11:21:34 :124105: <3806> <DBUG> |authmgr| MM: mac=84:38:38:00:00:00, state=6, name=test1, role=authenticated, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Dec 6 11:21:38 :124148: <3806> <DBUG> |authmgr| Create ipuser 192.168.1.20 for user 84:38:38:00:00:00.
Dec 6 11:21:38 :124156: <3806> <DBUG> |authmgr| Called ip_user_new() for ip 192.168.1.20.
Dec 6 11:21:38 :124004: <3806> <DBUG> |authmgr| sta_add_l3: mac 84:38:38:00:00:00 ip 192.168.1.20