I have tested your problem, the test was successful, and I did not encounter the problem, so I will share with you the process of my test and the places that need to be paid attention to, you can refer to the comparison to find the problem where you have a 403 error.
First of all, the app we created in the Entra ID needs to grant the delegated permission of user.read.all, and it needs the consent of the administrator, as shown in the image below.
Next, we need to obtain the token through the auth code flow, which is how we can parse the token we obtained through the jwt.ms, and make sure that the token has the user.read.all permission, as shown in the following figure.
Finally, post my test results.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.