I'm not sure what you mean when you say 'all Power BI permissions were delegated in AAD', can you share more details? Here's something to try:
Power BI has a tile embed sample, which I verified works correctly with interactive user login. Note, that when you're using Power BI.com, the user needs to be an AAD user and needs to login as themselves for licensing reason. As someone alluded to in another comment if you want to not use AAD users, you'd use Power BI Embedded, which doesn't require the end user to be an AAD user.
https://powerbi.microsoft.com/en-us/documentation/powerbi-developer-integrate-tile/
Can you use your client ID and secret with the above sample and see if it works. Make sure the application has the following redirect URL configured:
Usually, you get a 403 when the application does not have appropriate permissions. Remember that if you added permissions (scopes) to the application AFTER the user trusted the application, the user’s token won’t get the new scopes until they remove trust from the application and trust it again. Easiest workaround is to create a new application and use that instead. Alternative is to manually remove the application using Office 365’s “my apps” feature and then try to use the application again.
You might also draw inspiration from several other similar threads from other services:
http://stackoverflow.com/questions/31735264/403-forbidden-from-azure-graph-api
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide
HTH,
-Lukasz