FortiToken assignment fails with error -651 from VDOM context - cannot access token pool

Hello,

I am trying to assign a FortiToken Mobile to a local user via REST API 
on FortiOS v7.4.11 and getting error -651 "FortiToken is invalid".

Environment:
- FortiOS version: 7.4.11
- Multiple VDOMs configured
- Users are in VDOM "PO"
- API admin profile scope: Global
- API admin has User & Device: Read/Write

Important note:
We do not have direct access to the FortiGate GUI – only the customer 
does. Therefore we can only work via REST API and cannot verify 
the exact request that GUI sends when assigning a token.

What works:
- GET monitor/user/fortitoken?status=available → returns available tokens
- GET cmdb/user/fortitoken/{serial} → works WITHOUT vdom parameter (root context)
- GET cmdb/user/fortitoken?vdom=PO → returns empty / token not found
- PUT cmdb/user/local/{login}?vdom=PO with two-factor: email → works fine

What fails:
- PUT cmdb/user/local/{login}?vdom=PO with fortitoken serial → error -651
- PUT cmdb/user/local/{login} without vdom → HTTP 404 user not found

The token exists in CMDB, status is active, not assigned to any user.
Token assignment works fine through GUI (confirmed by customer).

My conclusion is that from VDOM context I cannot access the global 
token pool, even though the API admin profile has Global scope.

Questions:
1. Is it expected behavior that tokens are not accessible from VDOM 
   context via API?
2. What is the correct API call to assign a FortiToken to a user 
   in a specific VDOM?
3. Is there any additional configuration needed to allow token 
   assignment via API from VDOM context?

Thank you