GWC creates a mock request for the WMS to generate tiles to be cached, but it uses "127.0.0.1" as RemoteHost:
https://github.com/geoserver/geoserver/blob/master/src/gwc/src/main/java/org/geoserver/gwc/FakeHttpServletRequest.java#L303
This will make the WMS check for a rule about "127.0.0.1", and not the actual IP of the request, changing the resulting image, or (if 127.0.0.1 is not allowed at all) failing to provide it.
The remote hostname and ip should be made available to the WMS that needs to render the tile.
GeoServer 2.13.2 with external GeoFence