I can use the bearer token to do a GET on https://<<tenant>>.sharepoint.com/sites/pwa/_api/web/lists without a problem. However when I try to access https://<<tenant>>.sharepoint.com/sites/pwa/_api/ProjectData/Projects I get an authorization error, code 20010, "Access Denied".
The user I'm logging in with is the company administrator, and has also been added as a site admin for the Project site explicitly by name. Also when I'm logged in as that user, I can navigate to the above link and get the data inside the browser. That's using login cookies I guess, not oauth.
It seems obvious that I've not added the correct permissions, but I've given every permission I can find to my user through the admin website, not only to the project site but to the root site.
I'm pretty stumped, I'd be grateful for a trailhead.