I have resolved the issue. It was. . .dumb.
I wasn’t setting a content-type for the post request. I was assuming that that header would be set by the library I’m using, and it wasn’t. 
I used url-encoded, but I’m pretty sure it’d work even if I went back to sending a JSON-based request; I’d just need to set the header. I’m considering putting in a bug report to the library, because this feels like the sort of thing that should be handled automatically (as it is in similar libraries in other ecosystems).
Thanks go to @mikusai for having their own, unrelated problem, but who shared their auth code and made me think about the header: Trying to upload an SGF but it doesn't work. Please help!