Its an authz policy (because it happens post-authn). Its definitely possible, but you'd have to make sure the application requires an OAuth2 token--either an UMA RPT token, or our simpler GAT token.
There is another trick that may be required. During authentication, you have a connection to the user's browser. At this point, I think you can get the timezone from the person's preferences. You'll need to write this to the session for future use in the authorization policy.
Yuriy Movchan can confirm if there is a session variable that you could use to store this information during the custom authn script, that would make it available in the authz script.