Your policy uses
RequireClaim
, which means the authenticated user must have a custom claim called "UserGroupKeys". This is not a standard claim, and will not be set by the default authentication code.
If you have custom authentication code to set this claim, then you will need to update your question to show it. Otherwise, assuming your roles are working correctly, I suspect you meant:
services.AddAuthorization(options =>
options.AddPolicy("Upper-Admin",
policy => policy.RequireRole("Upper-Admin")));
Role-based authorization in ASP.NET Core | Microsoft Docs[
^]