If i go to https://developer.microsoft.com/en-us/graph/graph-explorer# and use URL like:

https://graph.microsoft.com/beta/sites/4development106.sharepoint.com:/sites/DBSchenker:/lists/OEC_Docs/items I can see request succeeds.

Now if i use the angular app from github https://github.com/AzureAD/microsoft-authentication-library-for-js

and the code like

 private sharePointHost: string = "https://4development106.sharepoint.com/sites/DBSchenker/_api/web/lists/getByTitle('OEC_Docs')/items"

  getDocuments(token){
    const httpOptions = {
      headers: new HttpHeaders({
          'Accept':  'application/json;odata=verbose'
          ,'Authorization' : "Bearer " + token
        })
      };

    this.http.get(this.sharePointHost, httpOptions).subscribe(
      (resp) => console.log("respon is::: " + JSON.stringify(resp)),
      (err) => console.log("error:::" + JSON.stringify(err))
    )
  }

It throws:

error:::`{"headers":{"normalizedNames":{},"lazyUpdate":null},"status":401,"statusText":"OK","url":"https://4development106.sharepoint.com/sites/DBSchenker/_api/web/lists/getByTitle('OEC_Docs')/items","ok":false,"name":"HttpErrorResponse","message":"Http failure response for https://4development106.sharepoint.com/sites/DBSchenker/_api/web/lists/getByTitle('OEC_Docs')/items: 401 OK","error":{"error_description":"Invalid JWT token. No certificate thumbprint specified in token header."}}`

changing the host to (which works in graph api explorer)

private sharePointHost: string = "https://graph.microsoft.com/beta/sites/4development106.sharepoint.com:/sites/DBSchenker:/lists/OEC_Docs/items"

throws

error:::{"headers":{"normalizedNames":{},"lazyUpdate":null},"status":401,"statusText":"Unauthorized","url":"https://graph.microsoft.com/beta/sites/4development106.sharepoint.com:/sites/DBSchenker:/lists/OEC_Docs/items","ok":false,"name":"HttpErrorResponse","message":"Http failure response for https://graph.microsoft.com/beta/sites/4development106.sharepoint.com:/sites/DBSchenker:/lists/OEC_Docs/items: 401 Unauthorized","error":{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure.","innerError":{"request-id":"f5a77afc-0d92-49a0-92c4-e727e056d0a9","date":"2018-10-30T01:42:02"}}}}

not sure what i am doing wrong

I've been having the same problem. The only solution I could find was to use ADAL instead of MSAL for the time being. I'm not quite sure why, but SharePoint Online only seems to work with ADAL the way you're using it.

Initially I thought it might be because of the "common" endpoint in MSAL, but switching to "Accounts in this organizational directory only (...)" didn't solve the problem either.

You might also want to take a look at https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/521 for a similar issue (though this didn't resolve my issue as well).