Good to know: for a REST service user, the account should not be a webservice user, but a “normal” user.
Did you see this documentation: https://github.com/mendix/RestServices#securing-published-services
Regards,
Ronald