What @Dist pointed out is correct: you’re missing the Authorization header.
But also your Content-Type header should be application/x-www-form-urlencoded as that is the format you’re using in your request body. Alternatively make your body JSON and use application/json like in your original example.