The error 403 refers to the incorrect IAM permission and as for your project, my insight is make a custom role with the permission only necessary to create and manage subscription (not the roles/pubsub.editor). After that, assign that custom role at the topic level (roles/pubsub.subscriber) and this will follow the PLP and avoid granting unnecessary permission.