Symptoms

Getting access denied error message for a user who should have access through AD group membership to the SharePoint site. If access granted directly to user (not through group membership) there is no error message.
 

Diagnoses

Based on these symptoms it is necessary to verify user group resolution for SharePoint and whether it functions properly (including services it relies on) as described in the following KB article:
http://help.k2.com/kb001627.aspx
https://community.nintex.com/t5/K2-Archived-Articles/KB001627-Known-Issue-when-using-OAuth-with-On-Premises/ta-p/218760 

Also please keep in mind that SharePoint has a /- 15 minutes cache that is resolved by looking into what groups the user belongs to by interpreting the OAuth token and then trying to resolve the groups by the User Profile store. It relies on the user profile synchronization configuration to be correct, which includes the following:
- Fully functional synchronization connection.
- Fully functional profile import.
 

Resolution

Synchronize the user profile application service:

Open Central Administration > Click on User Profile Service Application > Click on Start Profile Synchronization > Start Full Synchronization > Click OK.

Verify user profile application connection configuration:

Open Central Administration > Click on User Profile Service Application > Click Configure Synchronization Connections > Click the edit context menu on the connection that syncs the user and the group > Enter password and click Populate Containers.