The old spec, https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, seems to say that 401 can mean either unauthenticated or unauthorized. If you haven't signed in, it means unauthenticated. If you have signed in, then it means unauthorized. Were the status codes written before authenticate and authorize had the narrow meanings of today?
Meanwhile, 403 seems to be reserved for when the server just generally doesn't want to do what you're asking it to do. It may tell you, it may not, it doesn't have to tell you, so there. "Authorization will not help..."
Yet the official name for 401 is 401 UNAUTHORIZED.
So even the very basics of REST and HTTP are confusingly or ambiguously defined.