client ID’s are public, there is no need to redact your clientID.
Did the oAuth prompt state that you were asking for the moderator read scope?
Here you seem not have URL encoded the redirect_uri and might have got an unexpected result
You can call Authentication | Twitch Developers to check if the token has the needed scopes, is of type user, and has the user_id 454325344
Your postman call looks to have a bunch of extra headers, including cookies.
If that cookie is a Twitch cookie that might be interferring with the request. You are sending way more headers than is normal for an API call. Unlikely to be a problem but worth it to rule out.