LearningLocker responds with 403 Forbidden when trying to read xAPI statement

Hi, a client wants to track a multiple response interaction with xAPI. They use LearningLocker Enterprise and I don't know much if anything about either of those things. I eventually managed to get it working (code using xapiwrapper) with my local LL instance by following this guide.

However, when trying this with the client's enterprise endpoint, I couldn't GET the id I need to PATCH the metadata: "message":"Privileges not sufficient for this operation"

Request:
 GET https://saas.learninglocker.net/api/v2/statement?query={"statement.id":"<REDACTED>"}&select={"statement.id":1}
 Accept: */*
 Accept-Language: de-DE,en-US;q=0.7,en;q=0.3
 Accept-Encoding: gzip, deflate, br
 Authorization: Basic <REDACTED>
 Content-Type: application/json; charset=utf-8
 Origin: http://localhost:8000
 DNT: 1
 Connection: keep-alive
 Sec-Fetch-Dest: empty
 Sec-Fetch-Mode: cors
 Sec-Fetch-Site: cross-site
 Pragma: no-cache
 Cache-Control: no-cache
 TE: trailers

Response:
 HTTP/2 403 Forbidden
 date: Mon, 10 Jan 2022 13:08:52 GMT
 content-type: application/json; charset=utf-8
 content-length: 107
 server: nginx
 access-control-allow-origin: *
 x-dns-prefetch-control: off
 x-frame-options: SAMEORIGIN
 strict-transport-security: max-age=15552000; includeSubDomains
 x-download-options: noopen
 x-content-type-options: nosniff
 x-xss-protection: 1; mode=block
 cache-control: no-cache, no-store, must-revalidate
 pragma: no-cache
 expires: 0
 X-Firefox-Spdy: h2

I know this is very technical, but I'd appreciate if anyone could help me find answers to these questions:

• Is there something blatently wrong with the request?
• Does the customer need to change something in the web app, e. g. permissions and if so, what exactly?
• Is this even the best way to do it? Is there perhaps a vendor agnostic way to send multiple responses that non-IT people can work with?

Thank you very much!