To fix, I revoked access to the app at https://accounts.google.com/IssuedAuthSubTokens and retried after which, I was able to access the API correctly.
Despite having the scope in the list, and the scope showing up on Google’s OAuth2 grant page, the additional scope wasn’t granted.