I followed the exact same config and added few more resource including pod and validated the same ::

kubectl auth can-i post pod -n namespace1 --as system:serviceaccount:default:sa

Response :: yes

But then I was not able to create Pod in the namespace namespace1 with the serviceaccount sa.

k get pod -n namespace1

No resources found.

And the error message :: forbidden: error looking up service account namespace1/sa: serviceaccount "sa" not found