For me, the 403 error was caused by using the identity/ app-registration account name for the CodeSigningAccountName in the .json file. It should be the name of the trusted signing account service.