> Then QA engineers come into play: "Hey, I got 403 status, is that expired token or not enough access?"

To be fair, the HTTP status line allows for arbitrary informational text, so something like “HTTP/1.1 401 JWT token expired” would be perfectly allowable.