[SOLVED] Which is better? 403 status code or 422 status code with payload for failed validation and authentication?

Which is better? 403 status code or 422 status code with payload for failed validation and authentication?

POST /api/teams

{
    "name": "",
    "leagueId": 1
}

Rules:

name is required
leagueId is required
authenticated user should be the owner of the league where the created team will be associated to.

Let's say the authenticated user doesn't have access to leagueId because the user is not the the owner, is it better to return a 403 response (note that the rule for the name field is also not satisfied)? Or its better to return 422 status code and this payload:

{
    "errors": [
        {
            "field": "name",
            "message": "Name is required."
        },
        {
            "field": "leagueId",
            "message": "User is not the owner of the league."
        }
    ],
    "message": "Validation Failed"
}

Solution

I would return a 400 bad request when a required field is not present as the request did not satisfy the implicit contract.

And I would return 403 Forbidden in the case the authenticated user is not the owner of the league, as it indicates that the user is not allowed to do this because of who he/she is.