Enable Authenticated Origin Pulls using the api

Could someone please tell me what I’m doing wrong?

$ curl -X PUT "https://api.cloudflare.com/client/v4/zones/REDACTED/origin_tls_client_auth/settings" -H "Authorization: Bearer ${API_TOKEN}" -H "Content-Type: application/json" -d '{"enabled":true}'

{"success":false,"errors":[{"code":1451,"message":"User does not have permissions to access this resource"}],"messages":[]}

I should have the permission #ssl:edit

$ curl --silent -X GET "https://api.cloudflare.com/client/v4/zones/REDACTED/" -H "Authorization: Bearer ${API_TOKEN}" | jq

{
  "result": {
    "id": "REDACTED",
    "name": "REDACTED",
    "status": "active",
    "paused": false,
    "type": "full",
    "development_mode": 0,
    "name_servers": [
      "curt.ns.cloudflare.com",
      "gail.ns.cloudflare.com"
    ],
    "original_name_servers": [
      "dns1.registrar-servers.com",
      "dns2.registrar-servers.com"
    ],
    "original_registrar": "namecheap, inc. (id: 1068)",
    "original_dnshost": null,
    "modified_on": "2021-05-05T22:00:44.135979Z",
    "created_on": "2021-05-05T21:22:56.290846Z",
    "activated_on": "2021-05-05T21:25:07.674508Z",
    "meta": {
      "step": 2,
      "custom_certificate_quota": 0,
      "page_rule_quota": 3,
      "phishing_detected": false,
      "multiple_railguns_allowed": false
    },
    "owner": {
      "id": "REDACTED",
      "type": "user",
      "email": "REDACTED"
    },
    "account": {
      "id": "REDACTED",
      "name": "REDACTED"
    },
    "permissions": [
      "#access:edit",
      "#access:read",
      "#analytics:read",
      "#app:edit",
      "#auditlogs:read",
      "#billing:edit",
      "#billing:read",
      "#cache_purge:edit",
      "#dns_records:edit",
      "#dns_records:read",
      "#healthchecks:edit",
      "#healthchecks:read",
      "#image:edit",
      "#image:read",
      "#lb:edit",
      "#lb:read",
      "#legal:edit",
      "#legal:read",
      "#logs:edit",
      "#logs:read",
      "#member:edit",
      "#member:read",
      "#organization:edit",
      "#organization:read",
      "#ssl:edit",
      "#ssl:read",
      "#stream:edit",
      "#stream:read",
      "#subscription:edit",
      "#subscription:read",
      "#teams:edit",
      "#teams:pii",
      "#teams:read",
      "#teams:report",
      "#waf:edit",
      "#waf:read",
      "#waitingroom:edit",
      "#waitingroom:read",
      "#webhooks:edit",
      "#webhooks:read",
      "#worker:edit",
      "#worker:read",
      "#zaraz:edit",
      "#zaraz:read",
      "#zone:edit",
      "#zone:read",
      "#zone_settings:edit",
      "#zone_settings:read"
    ],
    "plan": {
      "id": "0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
      "name": "Free Website",
      "price": 0,
      "currency": "USD",
      "frequency": "",
      "is_subscribed": false,
      "can_subscribe": false,
      "legacy_id": "free",
      "legacy_discount": false,
      "externally_managed": false
    }
  },
  "success": true,
  "errors": [],
  "messages": []
}