Trying to finish getting Workflow set up to drop items on people's calendars in Exchange Online.

I have an app registration created, a user assigned to the application, Client ID, Tenant ID, Secret...

I have referenced this document Web Services, specifically this part:
 

• If connecting to a Microsoft 365 Exchange® service, select Use OAuth and provide the credentials necessary for that service:
  • Username: The username of the account associated with the mailbox.
  • Application (client) ID: This is the application ID assigned to your app. The ID can be found in the Microsoft Azure portal.
  • Client secret: The client secret generated for the app in the Microsoft Azure portal.
  • Tenant ID: The directory tenant that granted the app the permissions requested, in GUID format. The ID can be found in the Microsoft Azure portal.
  • Redirect Uri: The destination URI when returning authentication responses (tokens) after successfully authenticating users. Also referred to as reply URLs.

    Note: You must create an app registration within the Microsoft 365 or Azure management portal to obtain the information necessary. When registering for Exchange API access, the Exchange user created for this purpose must have "full_access_as_app" permissions with full access to all mailboxes.

    Note: For Exchange Online, set the URL to https://outlook.office365.com/ews/exchange.asmx, and the redirect URI to https://login.microsoftonline.com/common/oauth2/nativeclient unless otherwise specified by Microsoft.

Currently, when testing the URL, I get a Forbidden response:

Settings look like this:

Couldn't find the permission referred to as full_access_as_app, so I grabbed a few permissions that looked like the ability to write to all calendars and also query the profiles.

Workflow is the latest version as of this writing. Also, SharePoint Online web service is working properly.

Update:
I have added the user to an admin role in Exchange