upon remembering, it was actually just Token Auth - for some reason, when i created a machine identity in my parent organization, tbe CLI would always return a 403 for any project ID, regardless of whether i gave the identity the adequate permissions.

i got around it by just generating an identity for each project, which was probably a better idea anyway for granularity