@NDNMD I suspect that the signed-in user needs to be in either Cloud Application Administrator or the Application Administrator role. With delegated permissions the service looks at both the permissions granted to the app AND the permissions that the signed-in user has. and decides whether the combo means that the user+app have access to the API operation.
See https://learn.microsoft.com/en-us/graph/auth/auth-concepts#delegated-and-application-permissions for more info on delegated permissions.
Hope this helps
Dan