I’ve been fighting with this issue recently, thinking it was a problem in the GraphQL client library I was using (dotnet) or in the JSON deserialization. I had even given up for a several weeks and moved on to other dev items. I came back to it tonight and found this thread, and it gave me an idea. The GraphQL app has full permissions, so I started looking at the private app API token I was using, and after a bit of experimentation, discovered that once I granted the “Merchant-managed fulfillment orders” Read Access, the fulfillmentOrders collection was being returned properly and deserialized properly in my app code.
Before:
After:
Hope this helps anyone else fighting this problem. The docs could probably be clearer about which token permissions are needed for a given edge of the graph API.