If it's an API Key, you need to add the
userId= part, like
Token <token>; userId=<userId>. For example,
Token abcdefg; userId=1.
I think luceos example is wrong because the
= is missing.
Also make sure that registrations are enabled or that the userId is an admin.
A different issue is that your body payload is not properly formatted (it's not following json:api spec), but that will be a different 400 error once you fix the authorization part.