Edited your post to remove your leaked client secret and generated access token. You shouldn’t publish these publicly!
You should make sure you are using postman desktop for this, as postman web will interfere with extra cookies.
You’ll also need to create a proxy to handle the requests (and potentially cache requests to same duplicate lookups) as due to CORS limitations the Android app itself will not be able to make the request directly.
Your problem is likely the use of postman rather than a problem with your token itself. Skip postman and use something similar to what you will use in reality.