The broker uses NotAllowedException in most places when authorisation fails. This seems wrong to me as NotAllowedException is used for specific types of invalid command requests (e.g. declaring an existing exchange with a different type, or trying to create exchanges with prohibited prefixes). As it stands it is not possible to reliably distinguish between these two very different situations in code.
A more appropriate exception for authorisation failures would be UnauthorisedAccessException which is only used in one place (when a message is sent with a userid that differs from the authenticated id).
Obviously this breaks backwards compatibility to a degree, but I think in this case it is justified. At worst it would require applications to reconsider catching UnauthorizedAccessException wherever they are currently explicitly catching NotAllowedException.
 Described in specification as indicating: "The peer tried to use a command a manner that is inconsistent with the rules described in the specification."
 Described in specification as indicating: "The client attempted to work with a server entity to which it has no access due to security settings."