I would recommended you check “Troubleshoot” section to verify your token. Basically, once you get token from Azure Ad, you can look the token inside by pasting token content to http://jwt.calebb.net. The key point here is to check if the “Role” section includes the correct permission. “How do you know if your application was consented successfully?” section mentioned the detail. If you don’t find that role, most of time, it means the permission you didn’t setup properly or the admin didn’t grant the permission.
thanks again for your reading my post and let me know if that helps you.