rest – Can API authorization retransmit in API contract?

An example:
user authenticated with token, some property in contract must be within the set that the user can send, such as order type 1, 2 or 3. The user sends 4, which is also possible, but not for him, if the 403 he is forbidden to answer or 400 bad order?
If the authorization is retransmitted in the order type, should it be in the header instead of the contract? What happens if the contract has an incorrect format and can not be deserialized to contract an object? Then, we send 400 incorrect requests instead of 403 because we can not perform a part of the authorization process. Must the authorization be the validation of the contract first? What are the best approaches here?

Thanks for the suggestions!