I don't trust a test unless I've seen it fail.
This doesn't necessarily mean you have to always write a failing test first using TDD. Even if I write the test after the code, I still like to be able to comment out one line of application code and see a test fail as expected.
For example, you might have authorization logic which can return a 403 for multiple different reasons. If you don't see your test actually fail, it might be passing for a reason other than what you are expecting.
Taking a few extra moments to comment out the particular line you're testing in your Laravel policy and then watching that test fail can give you absolute confidence that it's covering what you think it is.
Here to help,
P.S. If you're still reading this, I just want you to have a great day!