Indeed it appears that it does.
- If the object could not be added to the collection, for example due to the privacy settings configured by its owner, the server SHOULD either respond with
403 Unauthorizedor respond with200 OKand later send aReject{Create}activity to the originating server.