In specific role the permission HostSessionWithoutConsent is enabled to specific session sub group in AccessSessionGroups.
Specific access host is part of more subgroups (by dynamic session group filters). One of these subgroups is mentioned specific subgroup with HostSessionWithoutConsent permission is enabled.
Users with this role assigned is able to connect to the access host session without consent, despite of connection is established through session subgroup, without HostSessionWithoutConsent persmission enabled.
It seems permission is applied to host (if it is part of session group with permission) and not to specific session group only.
OS edition: Windows server 2019
OS version: 1809
OS build: 17763.2183
CWC version: 21.13.5058.7951
Customer support service by UserEcho