What are the best practices of structuring XACML policies?

Question

This is a great question. A short answer would be: it depends on your use case. There is not right or wrong here. You could protect all your APIs in a single policy or even a single rule.

That said, think about the entire policy lifecycle:

requirements gathering
policy design
policy authoring
policy evaluation
policy auditing
policy reconciliation

In each stage, who's responsible? The same set of people? Different teams? How do you want to scale up the use of XACML in your company? Do you want a central authoring team? Will that work when you need to support 10, 100, 1000 APIs? The answer is likely no.

This means that you want to let API owners write their own policies. They get to choose what they define in their policies, what is allowed, what isn't.

Then, you want to have a "policy packager" role. That person collects and assembles all the policies that have been written. There are different types of policies:

the application policies (the ones written by the API owners)
the operations policies (the ones about global checks e.g. no access before 9am or no access from a rogue country...)
the compliance & regulatory policies (the ones about HL7, PCI-DSS and other regulations)

In a global policy set you can combine the policies (or policy sets since policy sets can contain policy sets). You can choose your combining algorithm to match your need. A typical one is first-applicable. It means that whichever policy / rule applies first wins overall. A more conservative choice would be deny-unless-permit, which denies all requests unless a policy explicitly permits access.

Back to your specific example, based on past experience, I would be tempted to write 3 different policies, one per API. You can use policy references and policy set references to link and reuse policies.

Axiomatics (disclaimer: this is the company I work for) provides workshops on XACML and attribute-based access control.