Are you sure the “functionality doesn’t work because of lack of permission”, even on an entirely new instance? The explicit user consent flow has recently been removed in favor of Simplified user consent for Forge (after an opt-in preview period), so it isn’t surprising that you don’t see it anymore:
We’ve changed the consent model for Forge so that individual users no longer need to grant consent in most cases.
This includes when they interact with an app for the first time and after major version changes.
As part of the GA release:
New Forge apps will automatically adopt the simplified user consent flow.
Existing apps will adopt the new flow after their next deployment and it will be minor version update. You don’t need to make any change to your code.
Of course, it is supposed to automatically grant all scopes once the administrator has installed an app, so anything else would be a major bug.