Yes, certificate requester is allowed to insert certificate policy or any other extension. But the Certificate Authority might validate the request or reject it.
Per default the openssl configuration file, openssl.cnf, includes the following setting for CRS extension:
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment
In order to support certificate_policies extension, "certificatePolicies" settings have to be added in this section.