Can't use Group deploy token to push image to container registry

I have a project named my-docker-app that contains a single Dockerfile and I have setup CI so that when I push a tag, it should build the image and deploy it to gitlab’s container registry. There will be multiple such projects that will be part of the same group (docker-group). Therefore, I have setup a group deploy token with the correct scope and I am trying to docker login with that in order to push the image.
(see .gitlab-ci.yml below for details)

However, when I try to push I get:
denied: requested access to the resource is denied

I am using gitlab.com

.gitlab-ci.yml

image: docker:stable

services:
   - docker:dind

variables:
    DOCKER_HOST: tcp://docker:2375
    DOCKER_DRIVER: overlay2
    DOCKER_GROUP_NAME: docker-group

before_script:
    - echo $CI_REGISTRY_DEPLOY_TOKEN | docker login -u $CI_REGISTRY_DEPLOY_USER --password-stdin $CI_REGISTRY_IMAGE

    
build_image:
    tags:
        - docker
        - shared

    script:
        - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG .
        - docker run $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
        - docker image push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
    only:
        - tags

I have tried logging with the group deploy token in the root folder registry.gitlab.com, in the group folder (registry.gitlab.com/docker-group), even in the project’s folder (registry.gitlab.com/docker-group/my-docker-app) but to no avail. In all these cases docker login returns Login succeeded but then when you try to push the image I get the error message above.
The only thing that has worked is to push the image registry.gitlab.com/docker-group:$CI_COMMIT_TAG which is not what I want.

Edit: I have built the image registry.gitlab.com/docker-group/my-docker-app/app:$CI_COMMIT_TAG in CI (so that the image name is conforming to image naming convention and tried docker login with a group deploy token in:

  1. registry.gitlab.com
  2. registry.gitlab.com/docker-group
  3. registry.gitalb.com/docker-group/my-docker-app
  4. registry.gitlab.com/docker-group/my-docker-app/app
    And I still get denied: requested access to the resource is denied.
    Any help is appreciated

OK kind of unintuitive but what fixed it for me was that write_registry scope alone would not allow me to push my docker image.
I had to have write_registry + read_registry scope on my deploy token.