Here's my take:
Any time the request succeeds. So, if, in the example above I ask which lineups are attached to my account, and there are none, you could send a 200 and an empty array. A REST purist may also argue that 404 could be appropriate since 'the resource doesn't exist'. I'd rather be pragmatic and just send the empty array.
Any time the client sends a request that is structurally or semantically incorrect. Bad syntax, bad data, etc.
401 vs 403
From what I've seen of this API, 401 should be sent if you need a token for a resource and haven't sent one, and 401 should probably never be sent. From what I've seen (and usually done) 401 means you need to authenticate, and 403 means you've authenticated, but can't do what you are asking to do. Since authorization with this API seems to be all or none, I wouldn't expect to see a 403.