The access token payload you shared indicates that the request was done in the scope of a specific organization so can you double check that the user has permissions assigned to this API in the scope of that specific organization. I believe the user should have roles assigned in the scope of the organization that ensure that they get the adequate permission set in the scope of that organization.
If you assigned direct permissions to the user I believe this will only surface if you make a request NOT associated with an organization.