You’re using the wrong Authentication flow. You can’t get user permissions from an App token, as that token doesn’t represent a user, you need to use the Auth Code Flow so that the user can grant your app those permissions.
Once the user has connected to your app and explicitly allowed it those permissions, THEN you use an App token from the Client Credentials flow to create the EventSub subscription.