Updating my original post as it is now solved. The problem I was having with the other posts not working was a bug in sync persistence shown here.
The straight-forward method is this:
Conditions: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "bookmark") and !user.IsAnonymous()
Logic: Non-anonymous users can create app objects on apps which belong to streams where the user has read privileges already and the object that they are creating are bookmarks.
Additionally, the publish rights to the stream is not required.
Basically, there is an issue with sync persistence that means you will need to recycle your services on all nodes due to caching from the repository service.
They provide a way of disabling the caching all together, but we opted not to do this because of how many users we get to log into the system. I believe this was the better route as I didn't want to track making custom changes due to a bug and confirm when I would need to revert. I just make note that services may need to be restarted as we wait for shared persistence. I would also like to add that this was the only time it happened for us, so it is a rare occurrence.