Microsoft Azure Cloud service management API fails with 401: Unauthorized error?

We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://video2.skills-academy.com/en-us/rest/api/authorization/roleassignments/list#errordetail

We have done all of the configs mentioned:

• Registered a multi-tenant web app with Azure Active Directory for OAuth using App Registrations option,
• Also enabled the https://management.azure.com/user_impersonation scope under Azure Service Management
• Same scope is requested by the web app

So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.

I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.

What might be the problem?