If the store determines that a client is unable to download a snap, it does not always include enough information for the client to provide useful feedback.
Recently, due to a temporary misconfiguration on a staging charm, the staging store was incorrectly determining that people could not download the core snap, but without sending enough information to the client, the client reported that the staging snap needed to be purchased.
Details: When a client downloads a snap a 401 response can be returned with the WWW-Authenticate header set to 'Macaroon needs_refresh=1', for example, so the client can respond appropriately. But there is also a case where the ACL check may result in a 401 and currently *no* WWW-Authenticate header is set, so clients are unable to give more information. If the store sent an applicable header value for purchase_required or similar, clients could differentiate.
Given there is a standard http status code for this (402 - Payment required) maybe we should return that for these cases.