Firstly its not "Jason", its JSON which stands for "Javscript Object Notation"
What makes you say that the threat protection policy is not working for your payload? Post your trace here to prove that.
There is nothing wrong with Json Protection policy that's included in your api proxy. For the payload you have posted here, it works absolutely fine and throws an error - Exceeded Object entry count.
See attached screenshot below. Make sure you have the Content-Type header for the request set to application/json
Thanks.Spelling error...