I’ve just done the same thing using Postman to test - retrieved an app-only auth bearer token, added that to the Authorization header of my request, and called the user timeline endpoint. Note that this will not work with the home timeline endpoint - that requires a user token.
Are you able to trace out the headers you are sending (please don’t paste the actual Bearer token in your answer).
Is the time on your host accurate? Oauth is time-dependent so clock drift can cause auth failures.
