Are you making ther API call using the token from the singleuser environment? That’s been tightened up significantly to only contain the mininmal permissions needed for web access to the singleuser server.
If you create a new API token it should have all the expected permissions. Alternatively you can modify the server (not the user) role: