PATCH /api/v2/users compliance attestation returning 403 despite correct scopes

What’s the cleanest way to bulk-assign compliance attestation flags via the User API without triggering RBAC throttling?
Running a Node script against the /api/v2/users endpoint to push HIPAA consent flags for 2k new agents. The PATCH request keeps returning a 403 Forbidden with {"reason":"FORBIDDEN","message":"User lacks required permission: user:edit"} even though the OAuth app has user:edit and user:compliance:readwrite scoped. Console shows the client secret was rotated yesterday, but the token refresh works fine.

const res = await fetch(`https://{{org}}.mypurecloud.com/api/v2/users/${id}`, {
 method: 'PATCH',
 headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' },
 body: JSON.stringify({ compliance: { attestationRequired: true } })
});

Rate limits aren’t the issue here. Calls are spaced at 1.2s intervals and the 429 headers stay clear. Does the compliance payload require a separate admin group assignment before the API accepts it? The docs mention a background job for flag propagation but don’t specify the exact sequence.
Response payload dumps show:
status: 403
x-request-id: 7f3a9b2c-8811-4d2e-9a0f-1123456789ab
retry-after: null