Hi Ted, 

Based on what you said you want to accomplish and your above-mentioned references, I have a hunch that you have the keys set up incorrectly. 
Can you please,
1. Try to create a key with "userwithauth" set in the step in your script that references policy_duplication man page as in here: "tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat  -a "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q"
2. Share your exact steps/ script that you implemented.
3. Share the key properties of the parent and child object you created. You can use tpm2_readpublic command to dump the key properties.

Thanks