So it transpires we were trying to piggy back on the stellar work by SCS for identity and allow a domain admin for provider networks, but alas Neutron has zero visibility of domains, and secondly only "admin" and "advsvc" can provision in a different project (hard coded, not a policy). Out one remaining option is to create a context that is for the "manager" user, but scoped to the user's project, and that can allow the provider network to be provisioned.
So it transpires we were trying to piggy back on the stellar work by SCS for identity and allow a domain admin for provider networks, but alas Neutron has zero visibility of domains, and secondly only "admin" and "advsvc" can provision in a different project (hard coded, not a policy). Out one remaining option is to create a context that is for the "manager" user, but scoped to the user's project, and that can allow the provider network to be provisioned.