There could be numerous reasons why what you intend is not happening although you are sure that you have a valid API key. One of those cases is when you misconfigure acceptable IP address / Domain Names / App Bundle IDs in your console page. You can set only hosts with registered IP addresses in the console page can use your API key and misconfiguring such may bring unexpected result.
Above image is a security tab in the console page. By adding domain name, IP address, or app bundle ID, you can set a constraint such that only apps or browsers that conform to the registered domain name, IP address or app bundle ID may use your API Key. By setting them, even if your API key is exposed to other people, they won't be able to make use of your API Key.
For example, let's say you have set up a Domain Name as "MyDomain.com" in the security tab. If you are making an API call from other than "MyDomain.com" (i.e. Postman as it doesn't have domain name unless you set a domain name within Postman as well), our server will send "403 Permission Denied" as it will check the security policy of the API Key first before responding with successful return.
tldr: Please double check your acceptable IP addresses configuration in your console page.