Are you just using the user’s access token in this scenario? If so, you won’t be able to add the update:users scope as even Management API tokens issued to a SPA are limited in scope.
Instead, you will need to make this call from a backend which handles getting a Management API access token, similar to what’s described in this FAQ: