Its probably user error, and I would not be shocked if it was not with the token. Are they testing access with the api page on JAMF Pro? When they click "try" they should be able to copy the Curl command out and paste it in to terminal to test (or just use the web console). Permissions should be the same between JAMFs API's. Keep it stupid simple and make sure they are using terminal to test before trying to cram stuff in to some application to make the API calls.
On a side note, be careful giving out "full administrator permissions". Especially to a developer, and doubly Especially if that developer is not on your team. You have to fix what they break. Minimum access is the best policy, only give access to what they need to accomplish the task assigned to them.
