While authentication is to validate a user, authorization is to grant access to a resource of the application. We all heard about role-based authorization, which provides access to the resources based on the role the user has. Policy-based authorization, a new feature in the Dotnet core allows you to implement a loosely coupled security model. This helps to decouple the authorization logic from controllers.
Read more: https://www.blogofpi.com/policy-based-authorization-in-asp-net-core/