Hmm, Okay first we need to see that you are actually in the "correct" role when failing mac auth.
Please show us the output of "show user" with your user.
Please also show us your new edited logon role.
Another thing is that you can see which ports are used with zero VPN if you know the destination IP of the Zero VPN server.
Connect to zero VPN with your failed client and write this in the controller
"show datapath session table | include x.x.x.x"
where x.x.x.x is the zero vpn server and give us the output.