Ok, update: the server’s IP address is indeed blocked.
it blocks this IP pattern: a.bbb.cc.****
and only got fixed when i got provisioned a server with this IP pattern: a.bbb.dd.****
It would be nice though if the API made it more explicit that it was an IP block, and not a generic permissions error. Would’ve saved me a day or 2 from testing out various possible reasons why it failed.