Upload endpoint returns 403

[tilschuenemann]

Describe the bug
When trying to upload an image file using the Upload endpoint, I get an error:

sp_api.base.exceptions.SellingApiForbiddenException: [{'code': 'Unauthorized', 'message': 'Access to requested resource is denied.', 'details': ''}]

To Reproduce

I'm running this script:

from sp_api.api import Upload
from sp_api.base import Marketplaces
from PIL import Image

credentials = dict(
    lwa_app_id="xxx",
    lwa_client_secret="xxx",
    aws_access_key="xxx",
    aws_secret_key="xxx",
    refresh_token="xxx"
)

u = Upload(
    marketplace=Marketplaces.ES,
    credentials=credentials,
)
res = u.upload_document(resource="/aplus/2020-11-01/contentDocuments", file=image_path, content_type="image/png")

The exact error message:

Traceback (most recent call last):
  File "/home/til/code/monorepo/src/mpm/mahler.py", line 714, in <module>
    main()
  File "/home/til/code/monorepo/src/mpm/mahler.py", line 701, in main
    m.acm_es.upl.upload_document(resource="/uploads/v1/uploadDestinations/aplus/2020-11-01/contentDocuments", file="playground/test.png")
  File "/home/til/.local/lib/python3.11/site-packages/sp_api/base/helpers.py", line 21, in wrapper
    return function(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/til/.local/lib/python3.11/site-packages/sp_api/api/upload/upload.py", line 15, in upload_document
    return self._request(fill_query_params(kwargs.pop('path'), resource), params=kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/til/.local/lib/python3.11/site-packages/sp_api/base/client.py", line 157, in _request
    return self._check_response(res, res_no_data, bulk, wrap_list)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/til/.local/lib/python3.11/site-packages/sp_api/base/client.py", line 183, in _check_response
    raise exception(error, headers=res.headers)
sp_api.base.exceptions.SellingApiForbiddenException: [{'code': 'Unauthorized', 'message': 'Access to requested resource is denied.', 'details': ''}]

Expected behavior

No errors + successful upload.

Desktop (please complete the following information):
Arch Linux, Kernel 6.1.38-2 LTS
Python 3.11.3 64 bit

Additional context
I'm running a fresh setup of my policies, roles, and user. All token are valid and work, eg. when using the AplusContent endpoint. Most importantly I have the Product Listing role.

I reference the endpoint used in the example docs by Amazon.

Are there any other permissions I need?