Occasional Visitor

We have deployed our custom app which consumes delegated graph AD app token for GET /bookingBusinesses/{id} API in our client environment. 


This token works fine with online API test tools like reqbin and webtools.

However, it fails with 403 forbidden for a console app, deployed Azure API app, azure function, CURL, Postman. 


Response Body:



We have set up the AD app in different tenants and it is working fine but it does not work in the client's tenant on custom apps and postman.  


The same token is working with online tools but not with custom apps and azure functions.

Is there any restriction that can be set up to block calls from certain clients? 

I have attached the token parsed diff file if that can help.