I have not done this in a long time but my recollection is that you write that policy based on the destination nat address and not the public address since the policy check comes after static and destination nat is resolved.
https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110