Currently, we use a specific username and PAT to make Azure DevOps REST API calls, but this isn't a good solution from a maintenance and fragility point of view. We'd like to use the OAuth token instead.

One case that we're running into issues is trying to generate service endpoints from our pipeline. I can check if the endpoint exists just fine from our Powershell script using:

Invoke-RestMethod -Uri https://xxx.visualstudio.com/projectname/_apis/serviceendpoint/endpoints?api-version=5.0-preview.2 -Method Get -ContentType "application/json" -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"} -Verbose -Debug

Unfortunately, when I try to use the following to create the endpoint if it doesn't exist, I'm getting a 403 (Forbidden). This is the call:

Invoke-RestMethod -Uri https://xxx.visualstudio.com/projectname/_apis/serviceendpoint/endpoints?api-version=5.0-preview.2 -Method Post -ContentType "application/json" -Headers @{Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"} -Body $RequestBody -Verbose -Debug

Looks like the user invoking this does not have permissions to create resources (or at least service endpoints). I'm the one running the release, but I don't believe it's my access because I am the admin on the entire organization and can do pretty much anything. I've also modified the built in Project Collection Build Service user's access on the release pipeline to have full access and still get the issue. Is what I am trying to achieve not possible?

The OAuth Access Token is created with "Project Collection Build Service(xxx)" account, not your account, so you need to give "Project Collection Build Service(xxx)" account permission to create service endpoint.