We had 403 errors on timeout of our token in a report...things would look OK if static, but hitting a slicer would lead to an "x" on every crossfiltered slicer.
Make sure the token timeout is longer than the default 5 minutes or whatever it's set to.
That's the best I can do...probably something different, but if the token is issued when you open the page and you then interact with the page past timeout...that yields a 403.