You're absolutely right. So by the same logic I'll argue that those should also be 3xx codes and not 4xx. After all, being "unauthorized"/"forbidden" is a valid state for a client to be in (so not an error!) albeit one that might not be fixable by the client, whereas "payment required" seems to imply that the client can fix the condition.
401 is used for logins in the proper case. In practice 403 is used here too. The example of HTTP authentication requires a follow up request to be made. This would be unresolvable if the user doesn't have an account or couldn't sign up.
403 would be used anytime the user doesn't have permission. This could be an authenticated user who simply does not have permission to access the requested resource.
Unlike 3xx these states require user intervention. If you trust your browser to save passwords, perhaps not. Similarly for a 402, a payment flow would be required before the request could be completed.
Again, you might choose to trust a resource that prompts you with a 402, but that would be like automatically sending your password.
Usually when building a webapp, your 401 error page will contain a login/signup form, or you can use the HTTP authentication scheme. There's no need to redirect, because your 401 contains the information needed for the user.
3xx on the other hand is usually handled by the client, but I may be mistaken. Take care.
