diff --git a/Makefile b/Makefile
index 1acf257957..cd2d7b5dc3 100644
--- a/Makefile
+++ b/Makefile
@@ -560,6 +560,20 @@ code-cov-report: test-clean ## Generate code coverage report
 	@go tool cover -func=coverage.out -o $(CODE_COVERAGE_FILE_TXT)
 	@go tool cover -html=coverage.out -o $(CODE_COVERAGE_FILE_HTML)
 
+#####################
+# CONFORMANCE TESTS #
+#####################
+
+.PHONY: test-conformance
+test-conformance: ## Run conformance tests
+	@echo Running conformance tests... >&2
+	@go run ./test/conformance
+
+.PHONY: kind-test-conformance
+kind-test-conformance: kind-deploy-kyverno ## Run conformance tests on a local cluster
+	@echo Running conformance tests... >&2
+	@go run ./test/conformance --create-cluster=false
+
 #############
 # CLI TESTS #
 #############
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 2c3b66b5cd..ce9e41bed6 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -17,7 +17,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/operator"
 )
 
-var RegexVariables = regexp.MustCompile(`^\{\{(\{[^{}]*\}|[^{}])*\}\}|[^\\]\{\{(\{[^{}]*\}|[^{}])*\}\}`)
+var RegexVariables = regexp.MustCompile(`(?:^|[^\\])(\{\{(?:\{[^{}]*\}|[^{}])*\}\})`)
 
 var RegexEscpVariables = regexp.MustCompile(`\\\{\{(\{[^{}]*\}|[^{}])*\}\}`)
 
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 75f54ccf3a..50a574a37e 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -31,8 +31,8 @@ func containsUserVariables(policy kyvernov1.PolicyInterface, vars [][]string) er
 	}
 	for _, s := range vars {
 		for _, banned := range forbidden {
-			if banned.Match([]byte(s[0])) {
-				return fmt.Errorf("variable %s is not allowed", s[0])
+			if banned.Match([]byte(s[1])) {
+				return fmt.Errorf("variable %s is not allowed", s[1])
 			}
 		}
 	}
diff --git a/pkg/policy/background_test.go b/pkg/policy/background_test.go
index 5e36016e5a..6ac83b1166 100644
--- a/pkg/policy/background_test.go
+++ b/pkg/policy/background_test.go
@@ -132,5 +132,5 @@ func Test_Validation_invalid_backgroundPolicy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 	err = ValidateVariables(&policy, true)
-	assert.ErrorContains(t, err, "variable \"{{serviceAccountName}} is not allowed")
+	assert.ErrorContains(t, err, "variable {{serviceAccountName}} is not allowed")
 }
diff --git a/pkg/policy/on_update_policy_test.go b/pkg/policy/on_update_policy_test.go
index 529ff78a32..ab98c426e3 100644
--- a/pkg/policy/on_update_policy_test.go
+++ b/pkg/policy/on_update_policy_test.go
@@ -105,5 +105,5 @@ func Test_invalid_onUpdatePolicyPolicy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 	err = ValidateOnPolicyUpdate(&policy, true)
-	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable \"{{request.userInfo.username}} is not allowed ")
+	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable {{request.userInfo.username}} is not allowed ")
 }
diff --git a/test/conformance/tests.yaml b/test/conformance/tests.yaml
index 4541c9583e..f8b89c930d 100644
--- a/test/conformance/tests.yaml
+++ b/test/conformance/tests.yaml
@@ -10,7 +10,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed 
   - description: Policy with backgound enabled and referencing user infos should be rejected
     kubectl:
       args:
@@ -36,7 +36,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{request.userInfo}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed 
   - description: Policy with backgound enabled and referencing user infos should be rejected
     kubectl:
       args:
@@ -48,7 +48,7 @@ should-fail:
         stderr: >-
           Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":
           admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
-          Set spec.background=false to disable background mode for this policy rule: variable "{{serviceAccountName}} is not allowed 
+          Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed 
   - description: Best practice policies should create fine
     kubectl:
       args: