The issue is that the Postman extension is following the redirect and sending the original authorisation header with both requests. So when you call the endpoint: -
> https://document-api.companieshouse.gov.uk/document/Wnzo1HaxKGzsajuSk-VXqPcZP6MuQ58ht-cUR8HEDpM/content
the initial response is a 302 redirect with a one time use URL to retrieve the document provided in the location header. The request to the one time use URL does not require the same basic authentication details as it contains a x-amz-security-token as part of the URL, hence the error message.
To resolve you need to stop the redirect from being followed automatically and capture the “location” from the header and then call this URL without the basic authentication. Postman provides an extension called interceptor which can be installed which then allows a setting to be configured to switch off automatically following redirects.
The following forum post provides further details
Hope this helps