Problem

• You are deploying AD RMS with Mobile Device Extension, and thus you also need to deploy AD FS infrastructure.
• The AD FS server is on Windows Server 2016, i.e. AD FS version 4.
• You are following steps or using PowerShell scripts from the link below to setup ADFS Relying Party Trust for ADRMS Mobile Device Extension
  Active Directory Rights Management Services Mobile Device Extension
• You setup everything and using a supported Office Mobile application (for either Android or iOS), but client (for iOS) reports You cannot set permissions or open a file with restricted permission because an error occurred.
• You can find Event log ID 364 and 1020 on ADFS server stating: MSIS9321: Received invalid OAuth request. The client ‘d3590ed6-52b3-4102-aeff-aad2292ab01c’ is forbidden to access the resource ‘api.rms.rest.com’.

Resolution

I would suggest you to use AD FS on Windows Server 2012 R2, since the automatically generated Relying Party Trust is designed for Windows Server 2012 R2.
If you are using Windows Server 2016 to test the ADRMS, the ADFS just not accept OAuth2 request from your Office Mobile client.
The ADRMS server can be deployed on WS2016 without problem.
To verify this, you can turn off the WS2016 ADFS and deploy a fresh new ADFS on WS2012R2 with the same adfs Group Management Service Account and IP address, but a separate SQL database instance. WID can be used for this test.