I found the issue. It was the lack of setting opendistro_security.restapi.roles_enabled which sets which roles can access the security api. Same as here.
I set it to the default for now as indicated in the sample config. Detailed info about the security api can be found here.