Create webhook: 403 insufficient_scope (Custom app, JWT Auth, Python SDK)

Hi,

Hope someone can provide a little insight on my problem

I get the 403 error "insufficent_scope" when I try to create a webhook with my app.
Here is my setup:

App configurations

I have a Custom app with the following settings in the

Developer console:

1. Authentication method: JWT Auth
2. Application access: Application
3. Application Scopes: Manage webhooks (check), Re/Wr files and folders (check), Manage users (check), Manages groups (check), Manage enterprise properties (check)
4. Advanced features: Perform actions as users (enabled), Generate User access tokens (enabled)
5. Add and Manage Public keys: have my Pub key here
6. App settings: have my JSON file here, which I use to authenticate in my python script for the client object (along with my private key)

Admin console (Custom App tab):

1. Authorization: Authorized
2. Status: Enabled

Box folder environment:

1. Box app is owner of a given folder (having a service account email AutomationUser_<some-num>_<another-num>@boxdevedition.com)
2. My personal user is co-owner 

Snippet with Python SDK

config = JWTAuth.from_settings_file('box_app_config.json')
client = Client(config)

file_id = "<my-file-id>"
listener = "https://webhook.site/<some-trailing-num>"

file = client.file(file_id=file_id)
webhook = client.create_webhook(file, ['FILE.PREVIEWED'], listener)
print('Webhook ID is {0} and the address is {1}'.format(webhook.id, webhook.address))

Error

"POST https://api.box.com/2.0/webhooks" 403 0
{'Date': 'Sat, 24 Oct 2020 10:31:46 GMT', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Strict-Transport-Security': 'max-age=31536000', 'WWW-Authenticate': 'Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."', 'BOX-REQUEST-ID': '0704a02fc24222fe203d35dfb28abf5e2'}
b''

What am I missing?

I tried to switch the app's access from 'Application' to 'Enterprise' in the Developer console, and check off the "Manage enterprise properties" + "Manage webhooks", but with no luck. Do I need to re-authorize the app in Admin console when 'Application access' is changed?

The error description complains about the access token, but as far as I understand with this method, I use a ".. digitally signed JSON Web Token" when authenticating as the service account with the Pyhton SDK. Does this mean the webhook endpoint does not support JWT Auth for custom apps in Python SDK?