System apps can go through the code programs as well as provider apps!
Here [1] is the workflow for system authorization. The tenant ID that you will use for the public sandbox is ec2458f2-1e24-41c8-b71b-0e701af7583d. In order to assist you in support, you will need to provide a Cerner-Correlation-Id or X-Request-Id from the response headers.
I am guessing that using the above tenant ID will solve your issues, since the rest of your request looks correct!
-Aaron (Oracle Cerner)