I work for NetApp supporting migration to ONTAP9.
The output you provided doesn't show the export policy you've applied to the root volume which is where you are getting the denied. Take another look at the check-access output!
You can see all volumes' policy and junction-path from the command line by running the following:
aff-01::> rows 0; vol show -vserver *nfs* -fields policy,junction-path
Security inheritence is in play. The root volume needs to be accessible if you want to let people get at the templates volume, which is junctioned under the root /. I recommend taking a look our cool new docs.netapp.com center for the NFS express guide on how to open up access to the root volume.
Personally I like locking it down a bit. A great resource for how to do this and almost all things NFS is is TR-4067 - You are looking for pg 48.
Share and enjoy!
Please hit the kudos button and mark as solved if this resolved your issue.