What causes this api call to return 403? Sharepoint ProjectWebApp

Question

I've got an issue with an integration I'm trying to go live with at a customer, where I've set up the app registration with, from what I can tell, the same parameters. Authentiction takes place via msal4j Username/Password flow, returning a token.

For my example of the issue, I'll use a GET call to https://{tenant}.sharepoint.com/sites/pwa/_api/ProjectServer/Projects.

This works well at our tenant, but at my client it (and all other calls) return:

{
"odata.error": {
    "code": "-2147024891, Microsoft.Office.Project.Server.Exceptions.ProjectServerUnauthorizedAccessException",
    "message": {
        "lang": "en-US",
        "value": "User <customercontent></customercontent> could not be authenticated because logon permission has not been granted"
    }
}
}

So, the steps I've taken to ensure that all the parameters are the same between my tenant and my clients:

The app registration has API permissions for:

1. Project.Read
2. Project.Write
3. ProjectWebApp.FullControl
4. User.Read

And has admin consent granted.

In authentication settings we have allowed "public client flows"

Decoding the token I can see that scp contains:

1. Project.Read
2. Project.Write
3. ProjectWebApp.FullControl
4. User.Read

The user which is used to generate the token is an admin of the Project Web App site.

The one difference I can come to think of between our environments is that my customer has set up different conditional access, requiring the account to be on their own network to bypass 2FA. But since we manage to generate the token, I can't see that being the issue.

Any ideas on what I could be missing here?