I don't know how postman works (I use the VS code REST client myself for quick api calls and testing), but in order to use session token authentication, you have to pass 2 headers with each call:

X-XSRF-TOKEN: contains the x_xsrf_token from the session create request
Cookie: contains the cookies_string from the session create request