Before I show you how, you must be wondering- why?
When developing for Sitecore Experience Commerce 9 and using Postman, you need to disable Cross-Site Request Forgery (CSRF) validation which in turned ON by default.
In order to do this, you need to set AntiForgeryEnabled to false in wwwroot\config.json under your Commerce Engine instance root:
P.S. To read up more on how CSRF attacks are prevented, have a look here.