Can someone please explain why our user role is not matching the subnet ID? The subnet ID we are trying to allow is 10.24.32.0 /21

The host we were testing access to is 10.24.38.2, which should be a part of the 10.24.32.0 /21 subnet
However in our testing we found that if we adjust the subnet mask to /18 it does allow the traffic. How is the switch interpreting the subnet ID and subsequent user role policy?