I have tried the mentioned scenario in Kentico 8.2.21 and it works. Have you applied the latest hotfix? There was a bug in version 8.2.1 - "Macros - Reset password URL in forgotten password emails not resolved correctly."
If you enable setting "Reset password requires email approval", the reset password hash is automatically generated. So if the macro used for generating reset password url in e-mail template works (an it works after applying the 8.2.1 hotfix) the scenario you mentioned should work.
Hope it will help you.