Trying to help others: I was struggling with the 401 response while trying to CURL, and also with VBA trying to request as content-type "application/json" However, I was able to pull a valid response by just entering this in my browser address bar: https://mywebsite.com/wp-json/wc/v2/products?consumer_key=ck_blahblah&consumer_secret=cs_blahblah

Following this line of thought, I went back to my VBA app and changed the content type to "application/text" and was able to pull a valid response text with response code 200. Hope this helps someone.

Here is a modified answer to Quickredfox's anwer:

add_filter('woocommerce_rest_check_permissions', 'my_woocommerce_rest_check_permissions', 90, 4);

function my_woocommerce_rest_check_permissions($permission, $context, $object_id, $post_type) {
    if($_GET['consumer_key'] == 'asdfghj' && $_GET['consumer_secret'] == 'qwerty') {
        return true;
    }

    return $permission;
}

The downside to this is that the flexibility of adding and revoking access for users using a gui is lost. However, if nothing else works and you just can't figure out why, this will work and does not expose the API to the whole world.

Oh, and this requires passing the key and secret as parameters a la:

https://foo.bar.com/wp-json/wc/v3/products/123&consumer_key=asdfghj&consumer_secret=qwerty

This will work without https, but if you use it without https, remember that any credentials you send along with your request will be sent in plain text.