The elastic/fleet-server user is a built-in service account. An API key for the Elasticsearch output in Elastic Agent is issued by that account. The fleet-server is supposed to tailor the privileges of that API key based on policy applied to that agent (this way the API key has the least privileges possible).
I'm not sure what went wrong, but perhaps you can try to create a new policy that contains Endpoint and apply the new policy to this agent. Maybe this will trigger an updated API key to be used that has the proper privileges.