capabilities in AppArmor profile vs extended attributes

I'm trying understand AppArmor capabilities at the moment. I found an example which had me make a copy of /bin/ping and generate AppArmor profile for it. First I made a copy of /bin/ping and set it's net_raw capability to permitted and effective per the instructions:

-shell
sudo cp /bin/ping /bin/fake_ping
sudo setcap cap_net_raw+ep  /bin/fake_ping

Then I generated an AppArmor profile:

-shell
sudo aa-genprof /bin/fake_ping

The AppArmor profile is saved in enforced - everything works. After that I unset net_raw capability:

-shell
sudo setcap cap_net_raw-ep  /bin/fake_ping

As expected, it doesn't work now due to this missing capability:

fake_ping: socktype: SOCK_RAW
fake_ping: socket: Operation not permitted
fake_ping: => missing cap_net_raw+p capability or setuid?

----------- **My question:** newly generated apparmor profile already contains capability net_raw, so why it doesn't work without cap_net_raw=ep set in extended attributes? How it's different?