First, don’t EVER share access tokens or refresh tokens. they are to be treated as confidential tokens and as such to share them is a violation of the developer agreement. Because you’ve leaked the token I’ve just revoked it so that it can’t be misused.
Secondly, just to check, does the user going through the OAuth flow match that of the channel you’re trying to use the channel points endpoints for? eg, if you go through the OAuth flow, you can only use that OAuth token with your broadcaster id.