I’m thinking your running into this limitation mentioned here:
Password-protected sites. Functions triggered by events won’t work if you have full site protection enabled as Netlify doesn’t have access to site credentials or authentication information at event completion. Consider using basic authentication instead for only the sections of the site you need to protect and exclude the functions. Netlify automatically adds a layer of security for your event functions with JSON web signatures.
If you check the above code, it clearly doesn’t use basic auth. I have already shown you exactly how you need to call the call. Now, how you implement that in Postman, is up to you. But, to be explicit: