Perform the following actions:
Verify whether Activate OAuth is selected for the Protected Resource.
Verify authorization policies are configured. Also, verify if the token contains required scopes by using the TokenInfo endpoint.
Verify Identity Injection policies. Enable Application debug logs in Identity Server and ESP and check for policy results.