I have added a new business app with which to manage product catalogs and ads via the marketing API. When I attempt to make any calls to graph API that require the catalog_management permission I receive the error "The app is not whitelisted to use this API".
My understanding is that this should work without the need for app review as all elements (app, system user, ad account, catalog) exist under the same business entity and the app has standard access on the catalog_management permission.
I note that the access token does not seem to include the catalog_management permission despite it being requested during token generation.
Any help greatly appreciated!
I discovered the missing element to this was that the system user needed to also be an app user so giving the system user testing permission on the app and regenerating the access token fixed the issue.