App unable to create gist on behalf of user using oauth

My goal is to be able to create gists on behalf of users.

I have registered a GitHub App. In the GitHub App settings page, I have enabled “User Permissions / Gists / Access: Read & write” (and no other permissions).

My website follows the Web application flow. The user sees an authorization page including the text “Create and modify a user’s gists and comments”, and my server successfully exchanges the code for a user access token.

My website then sends a request to the Create a gist REST API with the user’s access token in the Authorization header. However, it receives the following HTTP 403 error:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/reference/gists#create-a-gist"
}

I noticed that when my server calls the access_token API, the scope field is the empty string. I expected it to be gist, since that would seem to correspond to the “Gists / Access: Read & write” permission I chose in the App settings.

I also found that if the user installs the app to their personal GitHub repo (e.g. via https://github.com/apps/APPNAME/installations/new), then when the user performs the OAuth authentication process, I AM able to create gists successfully without error using their access token.

Is this behaving as expected, or am I doing something incorrectly? Is it the case that a GitHub app must always be installed to a particular org? If so, why does the normal web authorization process not perform this step or prompt the user to pick an org? It’s especially puzzling because the the web authorization screen explicitly mentions granting the permission to write gists.

Thanks for any information!