Not an expert here, but inspect_message only handles ingress messages. ic-test-state-machine operates on another level.
To test the inspect_message handler you’d need to run e2e tests, i.e. running your canister on the (local) replica and calling create_user from a client.
As far as I remember this only runs for calls that come through the http gateway. Other canisters that call your canister directly (inter canister call) will not go through inspect_message if I remember correctly.
So make sure that it’s not used as the sole security layer, still make sure that the methods themselves also verify access.