Not allowed when calling api/v1/authn/factors/SMS/verify

Hello guys. I’m trying to test the SMS password recovery flow.

First I call:

curl --location --request POST 'https://OKTADEV/api/v1/authn/recovery/password' \
--header 'Authorization: SSWS token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "username": "username",
  "factorType": "SMS"
}'

and I get the stateToken and the status is returned as RECOVERY_CHALLENGE

With the stateToken I call:

curl --location --request POST 'https://OKTADEV/api/v1/authn/factors/SMS/verify' \
--header 'Authorization: SSWS TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "stateToken": "TOKEN FROM LAST CALL",
  "passCode": "XXXXXX"
}'

But I get this response:

{
    "errorCode": "E0000079",
    "errorSummary": "This operation is not allowed in the current authentication state.",
    "errorLink": "E0000079",
    "errorId": "oae0z7F_4vQQtapf4jD4cPaUw",
    "errorCauses": [
        {
            "errorSummary": "This operation is not allowed in the current authentication state."
        }
    ]
}

Can anyone help me with that? Am I missing any steps?

Anybody? I need some help.