EdgeSWG appliance returns "Invalid substitution string" errors on policy installation for CPL code that contains hmac functions. A sample error message looks as below:

Error: Invalid substitution string '$(1)/notify-NotifyUser1?$(url:encode_base64);$(url:encode_base64:hmac)')

Policy includes a policy gesture that depends on hmac function, eg User Notify gesture, etc.

Hmac encryption key may be missing or corrupted in the EdgeSWG configuration 

Verify hmac key in the EdgeSWG configuration:

EdgeSWG#(config)show policy config

If there is no policy hmac encrypted-key section or it looks corrupted you may need to re-generate the key with the command below:

EdgeSWG#(config)policy hmac generate-key