Hi @Leau Bee Lin ,
Per my test, I can get Access Token without grant permission to the client id. So I will agree with ShaikMaheer's opinion. Please check if you have grant permission to the client id. You can refer to following steps:
Go to the appinv.aspx page by the url
https://xxx.sharepoint.com/sites/test/_layouts/15/appinv.aspx
Fill the client id and click look up and App's Permission Request XML like the pic
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>
You can choose permission level by following link
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint
Click create and then trust it
The document for reference
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Finally the maximum length of the Request URI for requests to our REST API endpoints is 4096 characters. If the request URI exceeds this length, you should see the following error message in the response:
URI length exceeds the configured limit of 4096 characters
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.