Token’s permissions returned by Mailbox.getCallbackTokenAsync method
The Mailbox.getCallbackTokenAsync method should return a token having the same permissions as specified by the mail app. For example the returned token should allow to read/write an item if the mail app has specified the ReadWriteItem or ReadWriteMailbox permission in its manifest. Currently the returned token allows its bearer (i.e. a web app receiving the token) only to read an item, not to write an item.
You can use Office.context.auth.getAccessTokenAsync and specify permissions in manifest.