Argh. OK, solved [edit: to clarify, I mean this subproblem is solved … the underlying bug isn’t]. I had not obtained the JWT with /users/api_token from the password token. This post sorted it out for me: https://forum.inaturalist.org/t/how-does-one-turn-an-authorization-code-into-a-jwt/13528
And then my test worked in curl. I’m reworking my python code snippet to do it that way.