I just found out GitHub organizations can now restrict how you can authenticate against them:

▸ hub clone aikidosec/firewall-node
github.com username: foca
github.com password for foca (never stored):
Error getting repository info: Forbidden (HTTP 403)
`AikidoSec` forbids access via a personal access token with fine-grained permissions. Please use a GitHub App, or an OAuth App.

A workaround (that worked for me, on macOS) was to open Keychain Access, search for the gho_* token generated for git-credential-manager, and copy that into ~/.config/hub.

It would be ideal if Hub used an OAuth app / GitHub App for authentication, though, to avoid having to do this.