So, it turns out I'm an idiot.
After using Postman to test my API calls, I found a more descriptive error message, which is unfortunately hidden when using Invoke-RESTMethod in PowerShell.
The error message, accompanying the 400 status, was:
"One or more assets in the request are not included in the site configuration"
And indeed, somehow I was POSTing a scan to site 2, for an asset which lives in site 1.
This will teach me to clear my variables, and to not just run snippets from the scripts when testing.