Cannot access proxy resource even though authorized

I know this is the resource policy to be returned by a REST API authorizer to authorize endpoint arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/dev/GET/

{
  "principalId": "user",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Deny",
        "Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/dev/GET/"
      }
    ]
  }
}

I have a proxy resource as arn:aws:execute-api:{region}:{accountid}:{apiid}///tnaapi/{proxy+}

{
  "principalId": "user",
  "policyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "execute-api:Invoke",
        "Effect": "Deny",
        "Resource": "arn:aws:execute-api:us-west-2:123456789012:ymy8tbxw7b/*/*/tnaapi/{proxy+}"
      }
    ]
  }
}

If I set this as "Resource" in a resource policy and return from the authorizer, I'm not allowed to tnaapi/aaaa/bbb endpoints. How can I solve that?