The best thing to do here is to check the access token. While there is no direct way to expose the token, you can use the following workaround, thanks to the Invoke-MgGraphRequest cmdlet:
$request = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/v1.0/admin/serviceAnnouncement/messages" -OutputType HttpResponseMessage
$request.RequestMessage.Headers.Authorization.Parameter | clip
The token will be copied to the clipboard, so go ahead and paste it over at jwt.ms to get the decoded values. Double-check the permissions ("scp" claim) and roles assigned ("wids" claim).
Other than that, it might be that said messages are simply not exposed via app authentication and only available via delegate permissions (user login).