I've seen similar challenges in ADO integrations, too. Making sure the account used by the OAuth Application Registry in the target platform has the access it needs is really important. Accounts with delegated roles instead of admin accounts are great for security purposes, but if they're not set up correctly, then this is the kind of issue you can see.
