The Change Password endpoint will return a success message, regardless of outcome, as a security measure to prevent user enumeration. E.g. a malicious user could use this endpoint to find out whether an email address was registered with your application. The following document explains user enumeration in more detail:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)