I had this issue, was giving me the same 403 error, tried idtoken and access token both in test, then I just deployed the API with this authoriser and tried access token first for the deployed API (this did not work), and then I tried idToken(and it gave me 200 response) , and then when I tried idToken for testing it gave me back proper response with 200 code.