I've confirmed that, as required, the Splunk API account has the correct Application and Delegated permissions to read the service health, activity data, and DLP policy events. These permissions are selected, saved and then granted within the Office 365 Management Activity API configuration on Azure Active Directory.
Also confirmed that the account has Microsoft Office 365 E3 license applied.
We are really at wit's end and have had a support case open since 7/21.
Hopefully, someone here has some experience with this issue.
Bumping this up because we have the same issue