So I figured it out.
My mistake was taking the example data a bit too literally.
bcrypt-credntials-fn is looking for :username in hash-map returned from the function it calls, which means my credentials map was nested one too deep. This works in my example.
{:username "bob@bob.bob",
:password "$2a$10$rtDxqCqZRIRFFzjCYD9d.uiQ2NuUMXto.jCbWNPtVKF1y/d4WPL/C",
:roles #{:practice.models.db/admin}}
It'd work hard-coding it because it'd look for essentially ["bob@bob.bob" :username], which is valid.
Hope this helps anyone else having same issue.