I've truncated your stack trace in the OP for brevity. You can turn off debug logging to get only the necessary error info, which is the message and code.
In this case it seems you're doing everything right except for passing the session token. For example, I have this session token:
X-DreamFactory-Session-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsInVzZXJfaWQiOjEsImVtYWlsIjoiamVmZnJleUBkcmVhbWZhY3RvcnkuY29tIiwiZm9yZXZlciI6ZmFsc2UsImlzcyI6Imh0dHBzOlwvXC9kZW1vLmVudGVycHJpc2UuZHJlYW1mYWN0b3J5LmNvbVwvYXBpXC92Mlwvc3lzdGVtXC9hZG1pblwvc2Vzc2lvbiIsImlhdCI6IjE0NDc0MjcxNDkiLCJleHAiOiIxNDQ3NDMwNzQ5IiwibmJmIjoiMTQ0NzQyNzE0OSIsImp0aSI6ImQ3ZGE0YmU0M2NmOTA5NzczMWYzZjJmZDA0MDllOTJjIn0.-jXCtGrU5gBonVsjgg5wpk-afs5bWGIKq8GZEWMY7GM
If I remove that M from the end, invalidating the hash, and try to call the API with this value:
X-DreamFactory-Session-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsInVzZXJfaWQiOjEsImVtYWlsIjoiamVmZnJleUBkcmVhbWZhY3RvcnkuY29tIiwiZm9yZXZlciI6ZmFsc2UsImlzcyI6Imh0dHBzOlwvXC9kZW1vLmVudGVycHJpc2UuZHJlYW1mYWN0b3J5LmNvbVwvYXBpXC92Mlwvc3lzdGVtXC9hZG1pblwvc2Vzc2lvbiIsImlhdCI6IjE0NDc0MjcxNDkiLCJleHAiOiIxNDQ3NDMwNzQ5IiwibmJmIjoiMTQ0NzQyNzE0OSIsImp0aSI6ImQ3ZGE0YmU0M2NmOTA5NzczMWYzZjJmZDA0MDllOTJjIn0.-jXCtGrU5gBonVsjgg5wpk-afs5bWGIKq8GZEWMY7G
I receive your exact error:
{"error":{"context":null,"message":"Invalid token: Token Signature could not be verified.","code":401}}
So either you're not capturing and passing the token intact, or it's being passed in an invalid way.