Hello!
It was necessary to add to the header the token X-Frappe-CSRF-Token: token_number of the user.
On this thread is talking about it: CSRF Token Checks Prohibit POST Rest API Calls for a Logged in User
As a petition, I think this should be added or mentioned on the Frappe REST Api guide (https://frappe.github.io/frappe/user/guides/integration/rest_api.html) for other users that could have this problem.
Thank you to @alex_melkoff for finding the thread.