TEST-OAuthConnectivity | The remote server returned an error: (403) Forbidden

A 403 Forbidden during the OAuth test normally indicates that the server-to-server OAuth configuration is incomplete between Exchange On-Prem and Exchange Online.
Key items to verify:
1. The Autodiscover and EWS URLs must be published externally
Hybrid OAuth requires EXO to reach your on-prem EWS and Autodiscover endpoints over HTTPS.
If the URL is internal-only or the certificate isn’t trusted externally, EXO will return a 403.
2. The OAuth certificate on the on-prem Exchange server must be valid and assigned
Check with:
Get-AuthConfig
Get-ExchangeCertificate
Make sure the certificate used by AuthConfig is:
•    Trusted
•    Not expired
•    Has a private key
•    Assigned to the Auth service
3. The Intra-Organization Connector must point to the correct Autodiscover URL
Run:
Get-IntraOrganizationConnector
Confirm the TargetAutodiscoverEpr matches your external Autodiscover URL.
4. No additional Entra ID roles are required
A synchronized user does not need extra roles for OAuth. MEU is fine. This error is not permission-related at the user level.
5. The EXO → On-Prem error about “account not provisioned” usually means missing mailbox GUID
EXO expects the on-prem user object to contain the correct Exchange attributes (msExchMailboxGuid, targetAddress, etc.).
Incorrect or missing values can cause OAuth/claims validation to fail.
In most cases, correcting the Autodiscover/EWS URLs and re-running Hybrid Configuration Wizard fixes the issue.