The password policy will take the condition as AND.
So, if the condition 1 says Allow and condition 2 says Deny ..the effective policy is DENY (more restrictive)
So , in this case, as you have allowed punctuation characters , following characters are allowed as per this config :
Punctuation: "!'(),.:;?@#%&*-_{}[]/\
However, as per your regular expression you have allowed only : !",";" and "-"
So effectively, the policy will allow only the later set of characters :!",";" and "-"
Hope this clears your doubt.
Regards,
Ujwol