The ACL on the VRF interface blocks all traffic except SNMP and SSH. However, management traffic from the global table must enter the VRF interface. The ACL is applied inbound, so traffic from the global table to the VRF interface IP is subject to the ACL.
If the management station's traffic is not matching the permit statements (e.g., source port or protocol), it is denied. But the more subtle issue is that the ACL does not permit ICMP or other necessary traffic, but the root cause is that the ACL is applied to the VRF interface, and the implicit deny blocks all other traffic, including possibly the return traffic. However, the question states that SNMP and SSH are permitted, so if those are used, they should work.
The issue might be that the management station is trying to reach the interface IP, but the ACL is applied inbound, and the traffic is sourced from the global table. The root cause is that the ACL is applied to the VRF interface, but the management traffic is coming from the global table and must be routed into the VRF; the ACL may be blocking the traffic if the source is not matching. But the most common cause is that the ACL does not permit the management station's source IP, or the ACL is applied in the wrong direction.
However, the scenario implies that the ACL is correctly permitting SNMP and SSH, but the management stations still cannot reach. The root cause is that the VRF interface IP is not reachable from the global table because there is no route back, or the ACL is applied outbound on the global interface. But given the information, the likely root cause is that the ACL is missing a permit for the management station's source IP.