Permissions error reading Teams 1:1 chat with Microsoft Graph API

Question

I'm trying to retrieve the history for a 1:1 bot-user chat with a Teams bot installed in personal scope. The bot (service principal's) has application permissions TeamsAppInstallation.ReadWriteSelfForUser.All.

Demo user found the app and added it to her personal scope. The app shows up in the left panel and has "Uninstall" on its context menu, so I assume it is actually installed. (Also, POST https://graph.microsoft.com/v1.0/users/<user-id>/teamwork/installedApps says AppEntitlement id: '<app-installation-id>' already exists in thread : '' for user : '<user-id>').

When using GET https://graph.microsoft.com/v1.0/users/<user-id>/teamwork/installedApps/<base64-chat-id>/chat I get info on the chat:

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#chats/$entity",
  "id": "19:<user-id>_<teams-app-id>@unq.gbl.spaces",
  "topic": null,
  "createdDateTime": "2023-10-20T13:11:26.691Z",
  "lastUpdatedDateTime": "2023-10-20T13:11:27.011Z",
  "chatType": "oneOnOne",
  "webUrl": "https://teams.microsoft.com/l/chat/19%3A<user-id>_<teams-app-id>%40unq.gbl.spaces/0?tenantId=<tenant-id>",
  "tenantId": "<tenant-id>",
  "viewpoint": null,
  "onlineMeetingInfo": null
}

As expected, trying to retrieving the chat history with https://graph.microsoft.com/v1.0/chats/19:<user-id>_<teams-app-id>@unq.gbl.spaces/messages produces error Missing role permissions on the request. API requires one of 'Chat.Read.WhereInstalled, Chat.ReadWrite.WhereInstalled, ChatMessage.Read.All, Chat.Read.All, Chat.ReadWrite.All, ChatMessage.Read.Chat'. Roles on the request 'TeamsAppInstallation.ReadWriteSelfForUser.All, Group.Selected'. Resource specific consent grants on the request ''. However, if I add Chat.Read.WhereInstalled and try to read the history of this I get Forbidden:

{
  "error": {
    "code": "Forbidden",
    "message": "Not allowed to access the resource because no apps with Azure AD App ID '<teams-app-id>' were found installed in the chat.",
    "innerError": {...}
  }
}

If I change the bot permissions to include Chat.Read.All I am allowed to retrieve the chat history, but that is unacceptably high permissions for this case. What am I doing wrong?