I meant the entire definition. That is, what is the result of Get(Role('Knight')). You shared a portion, but it could be important to review the whole thing to effectively debug with you.
In general, the write predicate you have appears saved correctly. That means that there would be something else going on.
Here is a minimal role that I believe does what you want: Read-only if CurrentIdentity matches, write only if CurrentIdentity matches.
Also minimal because of no membership predicate. Presumably, there is nothing wrong with the membership predicate since full read/write permissions work when given.
The same predicate that you started with should work. Even using Identity() instead of CurrentIdentity() for the time being.
I can confirm this works as intended by logging in with a user, then performing the GraphQL queries with the secret.
If the predicate is not working for you, then something else must be off. Are you sure that your GraphQL mutation is updating the same user for which you have a token?