The check-header policy runs an exact match on the whole header. When you have
Content-Type: multipart/form-data; boundary=<calculated when request is sent>
the header value doesn't match exactly with "multipart/form-data", then the request is rejected. You can keep the check-header policy to validate the application/json content-type, but for the multipart/form-data which contains a dynamic value (the boundary=xxx) you should move to a "manual" check.
You can run the manual check extracting the Content-Type header, then applying a regex via a policy expression to detect if the header contains a valid value. Then based on the output of the regex, you can choose to block the request processing and return the 415 error.