As the route is decorated with an user application you should generate a token on the Applications tab of the user, accepet it and send it in authentication headers.
Otherwise the system does not know how to authentificate the user for the application an the requests are rejected.
This status is not returned when the authentication is missing.
Indeed it is sent when the method of the request is not one of those allowed by the route. For example if you do a POST on the timesheet_employees.