I have an application running out of my Oracle based IdM system that updates group membership.  This process broke down due to the process using an OAUTH2 based authentication.  I have create a new app that uses different auth, and now we can read all the groups and group members.  However, when we try to add a group member, we get:

403 - access_denied_insufficient_permissions - Access denied - insufficient permission

This is from an Oracle PL/SQL app, using the APEX_WEB_SERVICE.MAKE_REST_REQUEST function.  The same one that we used to get the list of groups and have been using for 10 years to create users and groups.  The app gets a token (if needed - tracks the expiration date in the database), and makes the request. It also logs the token, url and request body.  If I copy and paste these values into Postman and POST it, it works fine - same token, same URL, same body.

I expect I am missing (or including) some header or cookie, or some other magic, and the API which causes the failure.  Unfortunately, my recent tests are still within the 48 hour window of the Diagnostic report.  I have also updated my ticket with customer service, to include the request id of both the working and failing requests, but perhaps they are also stuck behind the 48 hour report window.