Given EventSub doesn’t use user tokens. And does a check for it the user has granted the scope in the path this shouldn’t be the case. But based on:
You have an active subscription, you cannot create duplicate subscriptions with the same rules.
So I expect your issue is a 422 conflict not a 403 lack of permissions