It should theoretically be possible to set a space permission, however:
‘Note: Apps cannot access this REST resource - including when utilizing user impersonation.’
This is the case for Forge apps, JS Fetch api and curl attempts, and even in Connect (see: Connect: Permission exception when setting space permissions )
If this does appear to be a bug/no access to actually use this endpoint, this presents us with a blocker (being able to set permissions). Is there a current ticket relating to this to track?
If this is not a problem, it would be great to understand how this should be achieved (as the examples in the provided endpoint docs are not working).