Using "source-identity" with "pass-through" firewall authentication

I am looking for a solution to an issue with the following config:

policy MyPolicy1 {
    match {
        source-address any;
        destination-address MyAddress1;
        application any;
        source-identity any;
    }
    then {
        permit {
            firewall-authentication {
                pass-through {
                    access-profile MyProfile;
                    client-match [ MyUser1 ];
                    ssl-termination-profile my_ssl_pf;
                }
            }
        }
        log {
            session-init;
            session-close;
        }
        count;
    }
    scheduler-name MySchedule1;
}
policy MyPolicy2 {
    match {
        source-address any;
        destination-address MyAddress2;
        application any;
        source-identity any;
    }
    then {
        permit {
            firewall-authentication {
                pass-through {
                    access-profile MyProfile;
                    client-match [ MyUser2 ];
                    ssl-termination-profile my_ssl_pf;
                }
            }
        }
        log {
            session-init;
            session-close;
        }
        count;
    }
    scheduler-name MySchedule2;
}

The problem is that when "MyAddress1" and "MyAddress2" overlap then the second policy will never be triggered as the user is not taken into account for the match. Given the first policy is always triggered MyUser1 can successfully authenticate and connect but MyUser2 cannot. As long as there is no overlap between "MyAddress1" and "MyAddress2" then the above works fine.

Based on the info at

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-user-role-policy-with-firewall-authentication-configuring.html

I tried the following:

policy MyPolicy0 {
    match {
        source-address any;
        destination-address MyAddress3;
        application any;
        source-identity unauthenticated-user;
    }
    then {
        permit {
            firewall-authentication {
                pass-through {
                    access-profile MyProfile;
                    client-match [ MyUser1 MyUser2 ];
                    ssl-termination-profile my_ssl_pf;
                }
            }
        }
        log {
            session-init;
            session-close;
        }
        count;
    }
}
policy MyPolicy1 {
    match {
        source-address any;
        destination-address MyAddress1;
        application any;
        source-identity MyUser1;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
        count;
    }
    scheduler-name MySchedule1;
}
policy MyPolicy2 {
    match {
        source-address any;
        destination-address MyAddress2;
        application any;
        source-identity MyUser2;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
        count;
    }
    scheduler-name MySchedule2;
}

but that doesn't work. Is there a way to use the user identity from pass-through authentication with source-identity in subsequent policies?

I have an SRX345 running 15.1X49-D120.3