You say the security rules are the same, but are the licensing rules also the same? What I mean is: has the user got a professional license in the new environment?
Have you checked that the user has got the correct license assigned, i.e. a professional license to be able to create/edit apps? QMC -> License management, and then either "professional access allocations" or if you assign licenses by rules, go to Professional Access Rules and open the rule in edit mode, and then click User Access in the menu to the right (under Associated Items).
Next step is probably to check log files. Hopefully you have installed the monitoring apps that helps you analyze them, the app "Log Monitor" is possibly the one you want. You may need to increase logging level for some services (I'm not sure which ones) in order to get the details you need to find the problem.
BTW, you say the security rules are the same, but depending on how you have set up the rules they may need to be different. For example, let's say a custom rule uses a specific ID for a stream or a server. In your new environment, those ID:s aren't the same as in the old environment, and the security rules may need to be updated to match the new environment. But I'm kind of thinking that if this is the case, you should have more than one user with the same problem. But in theory, this user may have been directed to a rim node where a specific security rule doesn't apply, and the other users that successfully can create apps may have been on another server and that's why they can and another user can't. But it's very hard to tell from the outside, I'm just guessing...
You can try to find on QMC>Audit. Try to filter by user and check if it has Create App resource rights. If you see Green "C" icon check which security rule provided that right.
Alternate method give temporary rights to user with * and check all to see he/she create app now.
Lastly force the user to get same engine node on both server. Try to create a new Virtualproxy and set the load balancing node on the same node 1by1 to see if user get the same roled server in case you are accessing QlikSense via NetWorkLoadBalancer.
