One of the possible reasons is when you run kubectl debug with the --image flag, it creates an ephemeral debug container in the same pod. Since this debug container does not automatically inherit the same volume mounts, it doesn't get this token and any API requests, unless explicitly configured.
Try to use the --copy-to and --share-processes flags, or debug the same container image with --target. You can make a debug container that shares the same process namespace and volume mounts as the original container.
Here’s an example approach of the - - copy-to command :
kubectl debug mypod --copy-to=debugpod --image=redhat/ubi8 -it --share-processes -- bash
Otherwise, If the API request still fails with a 403 error such as Forbidden, the service account may lack the necessary RBAC permissions. You need to verify and investigate the underlying issue of Role or ClusterRole bound to the service account.
For additional reference you may refer to this documentation :