Usually Access Logs are unhelpful as they just show where the user was sent to and what paths it tried to go to. If it shows
/scp/pwreset.php?token=xxx then that's what we expect. If you try to open that link yourself, do you get the same issue? Also, could you try disabling ModSecurity, restart Apache, make sure ModSecurity is still disabled after restart, and retest? If that works then you know ModSecurity is preventing it and you need to make some custom rules to allow it. I cannot assist with that as I'm unfamiliar with making ModSecurity rules.