Using Authorization with Spring Boot 3.0.2

I have a Spring Boot application with java 17, okta-starter and thymleaf running. My Problem is now to secure some parts of the website with scopes, like in this quick-start. I have added my audience in the application.yml but I only get 403 not authorized on the specific URL.

SecurityConfiguration:

@Configuration
@EnableMethodSecurity
@EnableWebSecurity
@Order(1)
public class SecurityController {

    @Value("${okta.oauth2.issuer}")
    private String issuer;
    @Value("${okta.oauth2.client-id}")
    private String clientId;

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/api/ws").permitAll()
                        .requestMatchers(HttpMethod.GET,"/api/public/**").permitAll()
                        .requestMatchers(HttpMethod.POST,"/api/public/**").permitAll()
                        .requestMatchers("/test/blank").hasAuthority("SCOPE_access:devtest")
                        .anyRequest().authenticated()

                )
                .logout(logout -> {
                    logout.addLogoutHandler(logoutHandler());
                    logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
                })
                .cors().and()
                .oauth2ResourceServer((oauth2) ->
                        oauth2.jwt(withDefaults()));

        return http.build();
    }

application.yml:

# src/main/resources/application.yml
okta:
  oauth2:
    issuer: https://issuer.com
    client-id: longclientid
    client-secret: longclientsecret
    audience: https://api.customdomain.com/v1/api

server:
  port: 8080
  error:
    whitelabel:
      enabled: false

spring:
  messages:
    basename:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: longclientid
            client-secret: longclientsecret
            scope: openid, profile, email
      resourceserver:
        jwt:
          issuer-uri: https://issuer.com
          audiences: https://api.customdomain.com/v1/api