I'm trying to create a 2-way-sync todo app. When a new todo or shopping item is added through the VUI I get an event in my lambda function and handle it. I want to add items the other way around too, so I followed this doc: alexa-lists
My skill has list read and write enabled, I'm using ClientId and ClientSecret to obtain the out-of-session access_token, which I later use as a bearer token to access the lists api (just as described in the above mentioned link). Now there should be two outcomes: 200 success or 403 not authorized. I get 403 Not all permissions are authorized - an error message so rare, google is unable to give me any suggestions. Just to clarify: this is not a simple 403 authorization problem, my skill has the necessary permissions and if I omit the access_token I get a proper no-way-jose 403. If I change anything in the requests (Content-type, scope or authorization) the error message is different, so my assumption is that the request itself is valid, and there might be issues with the IAM user permissions or the Lambda role.
Thanks in advance for any help.