Typically a 403 response indicates your access token is not authorized with the proper scopes/permissions to be able to access a particular FHIR resource type. You can see what your token is scoped for in the response to the /oauth2/token call.
Your code indicates you're requesting certain scopes, however that isn't the right approach for Epic. The scopes you have are determined by the API endpoints that have been added to your app. You need to update your app to include all of the endpoints you want access to; be sure to allow sufficient time for the changes to sync over to the sandbox environment.