Cannot publish to generic package registry (403 Forbidden)

I am trying to publish a package to the generic registry but I keep getting a 403 Forbidden back:

curl -v --header "Authorization: Bearer <token with ALL scopes>" \
  --upload-file python.json \
  "https://gitlab.com/api/v4/projects/<MY PROJECT ID>/packages/generic/dummy-package/0.0.1/dummy.json"

that responds with:

*   Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=gitlab.com
*  start date: Nov  1 00:00:00 2022 GMT
*  expire date: Jan 30 23:59:59 2023 GMT
*  subjectAltName: host "gitlab.com" matched cert's "gitlab.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: PUT]
* h2h3 [:path: /api/v4/projects/<MY PROJECT ID>/packages/generic/dummy-package/0.0.1/dummy.json]
* h2h3 [:scheme: https]
* h2h3 [:authority: gitlab.com]
* h2h3 [user-agent: curl/7.84.0]
* h2h3 [accept: */*]
* h2h3 [authorization: Bearer <MY TOKEN>]
* h2h3 [content-length: 165979]
* Using Stream ID: 1 (easy handle 0x15b813600)
> PUT /api/v4/projects/<MY PROJECT ID>/packages/generic/dummy-package/0.0.1/dummy.json HTTP/2
> Host: gitlab.com
> user-agent: curl/7.84.0
> accept: */*
> authorization: Bearer <MY TOKEN>
> content-length: 165979
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* We are completely uploaded and fine
< HTTP/2 403 
< date: Mon, 14 Nov 2022 08:26:58 GMT
< content-type: application/json
< content-length: 27
< cache-control: no-cache
< content-security-policy: default-src 'none'
< vary: Origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-request-id: 21a638215839109693885a19cf93fd7c
< x-runtime: 0.079811
< strict-transport-security: max-age=31536000
< referrer-policy: strict-origin-when-cross-origin
< ratelimit-observed: 1
< ratelimit-remaining: 1999
< ratelimit-reset: 1668414478
< ratelimit-resettime: Mon, 14 Nov 2022 08:27:58 GMT
< ratelimit-limit: 2000
< gitlab-lb: fe-08-lb-gprd
< gitlab-sv: localhost
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oYK58UXSeXkhx%2BmbUWbGqnIVbkVmBkvN0dysJEA%2B0FC0kfBjo7CfebE2zvmJsrNtlmrxNHeszFqi%2Baoly6em61vMO8wsv3i4OW1RyOW%2FhvF6kKN7gL2n038IDA8%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 769e5d7e7b6a58f0-TXL
< 
* Connection #0 to host gitlab.com left intact
{"message":"403 Forbidden"}%    

I’ve also tried -H "PRIVATE-TOKEN: <MY TOKEN>" but same result.

What am I doing wrong?