Adding SSL/TLS Scanning Exclusions through script

Hello everyone, 

I've been attempting to write a script to add (and also remove if needed) SSL/TLS scanning exclusions in Sophos Central. 
From what i've gathered, it's the following PATCH request that needs to be sent: Endpoint API | Sophos Central APIs

However for the life of me i can't get this to work in PowerShell. Here's my code: 

    $headers @{
        'Authorization' "Bearer $global:sophosAccessToken"
        'X-Tenant-ID' "$tenantID"
        'Content-Type' "application/json"

    $body '{
               "add": [
                    "value": "xxx",
                    "comment": ""
                "remove": [
                    "value": "",
                    "comment": ""
    $response Invoke-RestMethod -Method Patch -Uri $completeApiUrl -Headers $headers -Body $body
    Write-Host $response
The headers are not a problem (with maybe the exception of Content-Type), i've been using them in several other GET functions without the issue. This code is wrapped in a function which has the required variables as parameters, the URL is correct as well. 
The body is literally copied from the documentation, it's just a string which i pass into the Patch request. I've seen this done in exactly the same way in some of the sample scripts from here: Sophos Central API Academy 2022 sample scripts - Recommended Reads - Sophos Central - Sophos Community

I've no clue why this is just refusing. In this particular scenario i get BadRequest response. However, let's say i delete the "remove" part of the body, only leave "add" -> Then suddenly i get an internalServerError response. I suspect my $body might be wrongly built, or perhaps this request is just not working on server side?
If possible, please test if you get it to work :) What should i do differently?