Thank you for the quick answer. Your suggestion has gotten me closer! I am now able to add a user to a group via Graph Explorer.
What I did was add my API user as an owner of the target group and then consent to some permissions. (Since I have no idea which consent I needed to do I just consented to as many things as I thought might be related to this issue and after 3-4 batches of consents it started working. So, alas, I have no idea which combination was the winning set.)
Question: WIll I need to add my API user as owner to ALL my groups and consent to dozens of random permissions in order to all my API user to add users to groups??? (There has to be a more efficient way than this path.)
However, I'm still unable to perform this task via my Python script. My Python script is currently able to add/view/remove users and view groups so I don't think it is an auth token issue.)
group_id="blah"
user_id="blah"
url='https://graph.microsoft.com/v1.0/groups/{group_id}/members/$ref'
data={'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/{user_id}'}
b'{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-06-30T13:35:53","request-id":"blah","client-request-id":"blah"}}}'
Note: Using the correct group_id and user_id I literally copy/pasted the url and data values into Graph Explorer to get that to work so I don't think it is a malformed POST query either.