Hello, not sure you're mssing too much. From the output it looks like the templates export policy is assigned to the templates volume, however in the check-access it cannot find the templates export policy and assigns the default which gives you the permission denied.
The output you provided doesn't show the export policy you've applied to the root volume which is where you are getting the denied. Take another look at the check-access output!
You can see all volumes' policy and junction-path from the command line by running the following:
aff-01::> rows 0; vol show -vserver *nfs* -fields policy,junction-path
Security inheritence is in play. The root volume needs to be accessible if you want to let people get at the templates volume, which is junctioned under the root /. I recommend taking a look our cool new docs.netapp.com center for the NFS express guide on how to open up access to the root volume.
Personally I like locking it down a bit. A great resource for how to do this and almost all things NFS is is TR-4067 - You are looking for pg 48.
Share and enjoy!
Please hit the kudos button and mark as solved if this resolved your issue.