Sometimes this could happen if you don’t set the proper `Content-Type` header yourself. Could you double check that?
I think the user on which you are using the Rest service has no rights to the REST-microflow.
In the REST-service:
In the microflow:
I would suggest turning the log level for the REST Consume lognode up to TRACE. This will show you exactly what your Mendix application is sending to Cybersource and you can compare this to your working Postman request. Hopefully you be able to see a difference and be able to resolve the issue with your Call REST action.
I see the working request uses a session cookie. Are you adding the cookie as a header in your request from Mendix? If not, how are you authorizing the request?