In Citrix Gateway deployment, You may encounter "Cannot complete your request" error if adding a new EPA policy in AAA vServer. 

For example, you have the following existing configuration to implement post EPA scan based on group name:
 

add authentication Policy NoAuthGroup01 -rule "HTTP.REQ.USER.IS_MEMBER_OF(\"Group01\")"
add authentication Policy NoAuthGroup02 -rule "AAA.USER.IS_MEMBER_OF(\"Group02\")
bind authentication policylabel NoAuthGroup -policyName NoAuthGroup01 -priority 100 -gotoPriorityExpression NEXT -nextFactor EPAScanLabel01
bind authentication policylabel NoAuthGroup -policyName NoAuthGroup02 -priority 110 -gotoPriorityExpression NEXT -nextFactor EPAScanLabel02

If you add a new EPA policy under EPAScanLabel02 policy label to do one more group filter like the following: 
 

add authentication Policy Tier2NoAuthGroup03 -rule "HTTP.REQ.USER.IS_MEMBER_OF(\"Group03\")"
bind authentication policylabel EPAScanLabel02 -policyName Tier2NoAuthGroup03 -priority 500 -gotoPriorityExpression NEXT

It'll have the possibility to see the "Cannot complete your request" after login gateway vServer. And the error is thrown by gateway rather than StoreFront. URL is: "https://fqdn/logon/LogonPoint/tmindex.html"

 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Citrix suggest you to use AAA.USER expression in all cases because it's advanced expression. Classic expression will be deprecated in the future. 
After changing all HTTP.REQ.USER to AAA.USER expression, the issue is resolved. 

In eDoc: Session and traffic managemen, Citrix has a note for this point: 

• If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.

---

Problem Cause

The expression to distinguish user's group used both classic and advanced expresssion. "AAA.USER" and "HTTP.REQ.USER". That may lead some code exception and cause the error.  
 

"Cannot complete your request" on Citrix Gateway after adding EPA policy