You need the scope https://uri.paypal.com/services/reporting/search/read .. if it’s not there in the oauth2 response, double check your REST App’s permissions.
Refreshing an access token
Existing access tokens are cached for 9 hours–so if you already requested an API token and then just added this permission to your app, it can take up to 9 hours for that permission’s new scope to be reflected in the next token’s generation.
To avoid waiting 9 hours, you can terminate that existing cached token with:
curl -X POST https://api.sandbox.paypal.com/v1/oauth2/token/terminate \
-u "yourclientid:yoursecret" \
-d "token=REPLACE_WITH_YOUR_TOKEN"
After termination, your next call to get a token will get a newly-generated one, including the new scope that was just added to the REST app.