I suggest using the second approach which gives you the 403 error. One thing to note, you don’t need to explicitly set the concurrentSession to false. By default, it will be false, per the API doc. Better to just leave it out.
Are you able to call this API in Postman? I’m curious if you can successfully generate a token manually before trying to call it in this rule.