Invalid authorization code now returns 401 instead of 403

We are in a private tenant. Starting this week our unit tests started failing. Previously, an invalid authorization code in the oauth/token request was returning 403, and is now returning 401.

401 is more correct, since 403 (Forbidden) is usually missing scopes.

Can someone confirm this change was intentional? When was it rolled out?
Is it uniform across all tenants (e.g. across all the tenants in our private instance)?

Hi @arthuston-abacus,

Would you please send me a DM with the name of the account and tenant that has been effected?