I figured it out so I’m posting here for future people:
The API token I was passing for the auth request was my read-only API key I was using for grabbing content. If you are passing an API key you need it to be full-access for auth requests to work.