Google People API - 我需要什么才能从服务帐户访问单个用户的联系人？

我正在编写一个应用程序 (C#/Windows)，它从其他来源获取数据，并使用它来使我的域中特定用户的 Google 邮件列表和联系信息保持最新。我已经达到了能够读取所有 Google 电子邮件组的成员的程度，因此我已经掌握了基础知识，但现在我在尝试读取和更新信息时遇到了障碍用户定义的联系人。

我正在使用 OAuth2 并创建了一个服务帐户，并且在域范围委派中 屏幕上我已向我的服务帐户添加了“auth/contacts”权限（我想我的应用程序，尽管我现在找不到该客户端 ID 映射到的内容）。

当我运行这段代码时：

credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
   GoogleClientSecrets.FromStream(stream).Secrets,
   new[] { PeopleServiceService.Scope.DirectoryReadonly, PeopleServiceService.Scope.Contacts },
   "[snip]@email-group-updater.iam.gserviceaccount.com", CancellationToken.None);
var initializer = new BaseClientService.Initializer()
   { HttpClientInitializer = credential, ApplicationName = "UpdateMailGroups" };
var people_service = new PeopleServiceService(initializer);
var pc = people_service.People.Connections.List("people/me");
var x = pc.Execute();

它抛出异常

GoogleApiException: The service people has thrown an exception. HttpStatusCode is Forbidden. Request had insufficient authentication scopes.
Error=Google.Apis.Requests.RequestError
Request had insufficient authentication scopes. [403]
Errors [
    Message[Insufficient Permission] Location[ - ] Reason[insufficientPermissions] Domain[global]
]

ErrorResponseContent={
  "error": {
    "code": 403,
    "message": "Request had insufficient authentication scopes.",
    "errors": [
      {
        "message": "Insufficient Permission",
        "domain": "global",
        "reason": "insufficientPermissions"
      }
    ],
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
        "domain": "googleapis.com",
        "metadata": {
          "service": "people.googleapis.com",
          "method": "google.people.v1.PeopleService.ListConnections"
        }
      }
    ]
  }
}

但我一直找不到这样的文档：“如果你想要资源 X，你需要身份验证范围 Y”。

在这种情况下，我缺少什么身份验证？