403 on device subscription

Another day, another mystery working with SmartThings. I’m getting an inexplicable 403 Forbidden error when attempting to subscribe to device updates:

POST https://api.smartthings.com/installedapps/<installation>/subscriptions
Authorization: Bearer <personal-token>

{
  "sourceType": "DEVICE",
  "device": {
    "deviceId": "[redacted]",
    "componentId": "main",
    "capability": "*",
    "attribute": "*",
    "value": "*"
  }
}

Response: 403 Forbidden (blank body, no error message).

  1. I have the correct permission (from the install callback): r:devices:[device-id], w:devices:[device-id], x:devices:[device-id]
  2. The personal token is correct (can make calls to the API no problem).
  3. The installed app ID is correct (from callback)
  4. The device ID is correct (checked with API call)

Nothing in the “live logging” console. I’m doing this all through calls in Insomnia and Postman after the install process, on-demand.

The docs say:

" SmartApps may create subscriptions for specific devices selected and authorized by the user during Configuration."

Do they HAVE to be created only during the install process only? Is there any reason the auth_token is a duration of 5mins?

UPDATE: this actually appears on ALL verbs for subscriptions. a GET /installedapps/{id}/subscriptions with a personal access token results in a 403. Is this intended? It seems odd, to say the least.