Why does Google API return "Request had insufficient authentication scopes"?

Question

I'm trying to insert a new member into a Google email group using authorization based on a service account. I got the basic code from this page. The guts are this:

Member newMember = new();
newMember.Email = email;
newMember.Role = "MEMBER";
MembersResource.InsertRequest insertRequest = new(DirService, newMember, Id);
insertRequest.Execute();

According to Google, the members.insert method requires one of the following OAuth scopes:

• https://apps-apis.google.com/a/feeds/groups/
• https://www.googleapis.com/auth/admin.directory.group
• https://www.googleapis.com/auth/admin.directory.group.member

I'm getting my authorization like so:

[open stream on JSON file I downloaded a while ago from the APIs & Services/Credentials page]
Credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
   GoogleClientSecrets.FromStream(stream).Secrets,
   new[] { DirectoryService.Scope.AdminDirectoryGroup, PeopleServiceService.Scope.Contacts, DirectoryService.Scope.AdminDirectoryGroupMember, DirectoryService.Scope.AdminDirectoryUser },
   "[snip]@email-group-updater.iam.gserviceaccount.com", CancellationToken.None);
var initializer = new BaseClientService.Initializer()
{ HttpClientInitializer = Credential, ApplicationName = "UpdateMailGroups" };
DirService = new DirectoryService(initializer);

so I'm including two of the required scopes. Also, this code is working fine for retrieving the members of groups, so the basic authorization is correct. It's only when I go to add a member that I get the error.

When I look in the Google Admin pages, my service account is enabled and has a numeric OAuth2 Client ID starting with 114324. I've got Domain-wide Delegation enabled, showing that same Client ID. Under Security/API Controls/Domain-wide delegation I see two API clients, one is my service account (it has a client ID starting with 114324). The second API client has a client ID I believe belongs to my application (though I'm not sure where to double-check that). Both API clients are authorized for the following scopes:

• https://www.googleapis.com/auth/admin.directory.group
• https://www.googleapis.com/auth/contacts
• https://www.googleapis.com/auth/admin.directory.group.member

The error is

GoogleApiException: The service admin has thrown an exception. HttpStatusCode is Forbidden. Request had insufficient authentication scopes.
Error=Google.Apis.Requests.RequestError
Request had insufficient authentication scopes. [403]
Errors [
    Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]

ErrorResponseContent={
  "error": {
    "code": 403,
    "message": "Request had insufficient authentication scopes.",
    "errors": [
      {
        "message": "Insufficient Permission",
        "domain": "global",
        "reason": "insufficientPermissions"
      }
    ],
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
        "domain": "googleapis.com",
        "metadata": {
          "service": "admin.googleapis.com",
          "method": "ccc.hosted.frontend.directory.v1.DirectoryMembers.Insert"
        }
      }
    ]
  }
}

What am I missing here?

EDIT

Here's what I'm seeing in the Google Admin Console:

Answer 1

In my case, this error was caused by me simply not noticing I have to check the following checkbox when I'm logging in already:

Answer 2

Figured it out!

A previous incarnation of this application had requested a smaller set of privileges, and when the new version of the application asked for more privileges, Google couldn't figure out what to do.

The solution was to go to the Google Account/Services page, "Your connections to third-party apps & services", and delete the application. The first time I re-ran the application I just got an exception, but the second time Google asked for me to authorize the app, and when I agreed it worked!