Azure policy reconciler error for constraints k8sazurev2blockautomounttoken

I have enabled DFC and azure policy on my aks cluster.

I assigned a policy with exclusions for a namespace nginx (but it doesn't show up in the excluded namespace default values in policy definition as in the last image attached). When I deploy the helm chart for nginx controller. I still see logs in gateway controller for (info) denied admission automounting service account token is disallowed and another set of Reconciler error messages. Unable to understand what is missing or is it safe to ignore these messages ?

Also, the policy id that was assigned and the constraint template annotation for az policy definition id matches. The az policy parameters has the ingress namespace

{"level":"error","ts":1754501128.6829498,"msg":"Reconciler error","controller":"constraint-controller","object":{"name":"gvk:K8sAzureV2BlockAutomountToken.v1beta1.constraints.gatekeeper.sh:azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5"},"namespace":"","name":"gvk:K8sAzureV2BlockAutomountToken.v1beta1.constraints.gatekeeper.sh:azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5","reconcileID":"50838bd7-9717-46e7-a1b7-215ee9e1be91","error":"validatingadmissionpolicybindings.admissionregistration.k8s.io \"gatekeeper-azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5\" is forbidden: User \"system:serviceaccount:gatekeeper-system:gatekeeper-admin\" cannot delete resource \"validatingadmissionpolicybindings\" in API group \"admissionregistration.k8s.io\" at the cluster scope: Azure does not have opinion for this user.","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).reconcileHandler\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).processNextWorkItem\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:255"}

{"level":"info","ts":1754501766.5359077,"logger":"webhook","msg":"denied admission: Automounting service account token is disallowed, pod: ingress-nginx-controller-5955dc6c59-xcwlc","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2blockautomounttoken-cefda45f1b679f4fbee5","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2BlockAutomountToken","constraint_action":"dryrun","constraint_enforcement_actions":[],"resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"ingress","resource_name":"ingress-nginx-controller-5955dc6c59-xcwlc","request_username":"system:serviceaccount:kube-system:replicaset-controller"}

{"level":"info","ts":1754501766.5359352,"logger":"webhook","msg":"denied admission: Container image registry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:ac444cd9515af325ba577b596 for container controller has not been allowed.","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2containerallowedimag-45fb70f969fb8329baf0","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2ContainerAllowedImages","constraint_action":"dryrun","constraint_enforcement_actions":[],"resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"ingress","resource_name":"ingress-nginx-controller-5955dc6c59-xcwlc","request_username":"system:serviceaccount:kube-system:replicaset-controller"}

gateway controller logs

Azure Policy from portal