Unable to deny snapshot creation based on tags

A customer wants to deny creating resources unless it has specific tags. I'm currently working on EC2 snapshots, volumes, and instances with the following SCP:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

But this policy doesn't allow me to create EC2 snapshot, regardless if I specify the tag or not, but it works as expected for creating an EBS volume or EC2 instance

Now If I separate the ec2:CreateSnapshot into its own statement then it works as expected like the following:

enter code here
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRAPPTAG2",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateVolume"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    },
    {
      "Sid": "GRAPPTAG3",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSnapshot"
      ],
      "Resource": [
        "arn:aws:ec2:*::snapshot/*"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/application": "true"
        }
      }
    }
  ]
}

So I'd like to know why this is happening and if there is anyway to combine them into a single statement. Thanks!