Answers:

Do you have any other access points connected or is this a new setup? Yes, have other aps and are working.

You have NTP configured on the controller and also validated the country code configuration? Yes, NTP is working. How dow I validate the country code configuration?

 Have you tried to put the ap on the same subnet as the controller? It is not possible, the controller is remotely connected, but now there is also one ap that is in the same subnet and not working.

For the country code, you would see the model in the sticker on the access point or on the box.  Now to check what country code you have configured already, you can reference this link:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/country-codes.html#config-country-codes

As long as the ap's you have purchased are the same country as the existing ones that are already joined and working to that controller, then the country code is not the issue.  Also, looking at the Wireless Matrix, https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html, The ap model you posted is supported on that 9800 code your also posted.  Given that you already have existing access points jined to that controller eliminates any issue with the trustpoint.  

So what model access point do you have that are successfully joined to that controller and do you have existing access points that are joined on the same switch as the ones you are not able to join?  This also helps eliminate an infrastructure issues with either local mode or flexconnect mode.

IW-6300H-AC-Z-K9 is not listed for Brazil. Since it is the only AP that is not working now, I suppose that it can be related to country code. Can I configure multiple country codes, like for example BR and US in order that model to work? Obs.: I intend to use mesh in future.

Yes you can configure additional country codes on the controller.  That should then fix your issue.  Just make sure the ap is mounted in the country its made for so that you don't break any regulations.

Answers:

1. Are you really doing AP auth? No, I was not supposed to do that. I had enabled that to try making AP authenticate and associate with controller, but now I have just disabled AP Policy ->Authorize APs against MAC (disabled) | Authorize APs against Serial Number (disable) and two other APs associated. Thanks. Now I have only one AP that is not associating, IW6300 (new log attached). It worked once but never more after I configure as bridge (I have already tryed reseting factory defaults, but still not working).

2. Looks like you are running 9800-40 on 17.9.5. I am not sure about 'CISCO_IDEVID_SUDI', what am I supposed to do? Change some configuration? How can I do that?

I am still seeing AP Auth failure in the logs..since you have disabled the AP Authz, WLC should allow the AP. Now I am more interested to look into these outputs from the AP CLI - 

#show capwap client rcb

#show capwap client config

#show ip int br

#show logging

It follows attached.

I am sorry! Looks like the logs are collected from controller. As mentioned, the commands shared before need to be run in the problematic AP.

I think what you need to look at is to factory reset it again and see if it goes back to bridge.... that might be something you need to document as that might of been set at the factory.

AP auth is mandatory for bridge mode APs <wink>
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html
"A mesh AP needs to be authenticated for it to join the 9800 controller."