I consider 401 Unauthorized or 403 Forbidden, but I don't have any argument to apply.
The 403 status code seems to be suitable for the situation described in your question. However, if the server wants to "hide" the existence of a resource, then 404 can be used instead. See the following quote from the RFC 7231:
6.5.3. 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).
The 401 status code is meant to be used for HTTP authentication (where the credentials are sent in the Authorization header) to indicate that the credentials have been refused for that request.
