Why is the monitoring namespace evaluated wrong? 
Check the Service in the web-apps ns, it listens on port 80. So any pods that communicate with pods labeled app: frontend should be routed only to port 80.
Add the ports field, and it should work.
But in this case po with label app:backend are not restricted to the same namespace right?
No. As this NetPol is in the web-apps namespace, this will only allow pods labeled app: frontend to receive traffic from app: backend from the same namespace in which the NetPol is created. OR, any pods from the monitoring namespace on port 80.
I think the network policy will work only on frontend labeled pod in the namespace but can be reached by any pod with label backend. There should be and condition