I might have found the culprit, thanks to your post about user access tokens. I think my original understanding of what type of token I needed was incorrect. I’ll try to summarize my new understanding of the tokens and see if I’m mistaken or if this is what was wrong.
App access tokens are for server-to-server requests for public data not specific to a user.
Client access tokens are for server-or-client-to-server requests for sensitive data specific to a user.
Thus, for subscription data, I probably needed a client access token all along! Does this sound correct? And if so, what good are app access tokens really if they only allow access to endpoints that don’t even need authorization?