After trawling around the support KB pages - they are quite a good resource for blcli information - it seems that
actually does what I want. I missed this before because the apply methods usually apply permissions to an ACL Template object (ie directly define who can access the object itself).
For an Auth Profile, you use
to add the auth profile into the ACL template list. For me add is much more logical for this purpose.
Not very consistent, but at least it is possible! Note that this is new in BSA 8.2. It might be possible to copy the XML file to an 8.1 system, but do this at your own peril.