If you're sending POST requests to routes other than /api then you'll need to add those to the $except array in VerifyCsrfToken, and add ->middleware(['auth:sanctum']) to those routes in web.php routes file.