Proper syntax for using `allow_nets` with dovecot passdb sql

Question

I want to allow for two auth methods in dovecot via SQL. First, the traditional route where the password is hashed with SHA512-CRYPT and compared to the DB response. Second, where the request is coming from a user already authenticated by a different part of the local system, and the hash itself is passed and compared as PLAIN.

It works perfectly with the following auth-sql.conf.ext and associated sql files...

# Passdb for traditional method
passdb {
  driver = sql
  args = /etc/dovecot/conf.d/dovecot-sql.conf.ext
}

# Passdb for hybrid method (direct hash comparison)
passdb {
  driver = sql
  args = /etc/dovecot/conf.d/dovecot-sql-hybrid.conf.ext
}

# Userdb prefetch to use attributes from the passdb query
userdb {
  driver = prefetch
}

# Userdb static as fallback for default attributes
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/srv/mail/%d/%n
}

The problem I'm having is that I want to secure the second hybrid PLAIN method so that it can only be used by the local host using the allow_nets argument. In the documentation it shows that I should simply add it to the args like this...

  args = /etc/dovecot/conf.d/dovecot-sql-hybrid.conf.ext allow_nets=local,127.0.0.1/32

But as soon as I do this, the logs show that it's trying to open the entire string as if the allow_nets... part is part of the path, and fails to find the file. I've tried moving the allow_nets argument to the beginning, but that had the same result.

What is the correct syntax for using allow_nets with passdb sql?

Cross-posted from https://serverfault.com/questions/1170095/proper-syntax-for-using-allow-nets-with-dovecot-passdb-sql after no responses.