Not sure I agree with the accepted answer's comment "what it doesn't depend on is 'feature flag'". The variations mentioned do make sense, regarding 404 -- not able to find or have access to the resource, 451 -- legal reasons. But, in the case of feature flags, a strong case is made by the RFC itself that a 403 is the correct candidate:

https://www.rfc-editor.org/rfc/rfc7231#section-6.5.3

However, a request might be forbidden for reasons
   unrelated to the credentials.

Feature flags are exactly that -- a way to remove authorization for an operation or resource.