oh never mind, I found the answer. Its hidden in this table of Gateway class capabilities:
https://cloud.google.com/kubernetes-engine/docs/how-to/gatewayclass-capabilities#additional-services
Cloud Armour policies are not supported for regional external gateways. It would be helpful if this was noted in the docs for configuring Gateway policies 
https://cloud.google.com/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_cloud_armor