After stepping through Strapi code I found out what’s going on…
The comment from the source code explains it (far better than the Admin UI)
/**
* If you don't have `full-access` you can only access `find` and `findOne`
* scopes. If the route has no scope, then you can't get access to it.
*/
Given a custom route has the following scope api::routeName::routeName::actionName - API tokens which are set to read-only will throw a 403…
Thus - you must use a Full Access token, or, add the following config to your custom route:
auth: {
scope: ['find']
}