This is because your token does not have permission.
First, you need grant the Group.Read.All
application permission to the application and grant the admin consent.
Next, you can use the client credential flow to get the token.
Call the api.
If an Answer is helpful, please click "Accept Answer" and upvote it.