Having the same issue here. Probably API endpoints have some inbound access policy on the API gateways. Like aud,scp checks or something else, not sure. We need to identify it and go from there.

With your msal token did you check the token payload? What are the differences with the working token extracted from browser?