These codes follow the standard set by the HTTP rfc.
According to the Status Code Definitions section:
- 400 Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
- 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
- 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
In your case, if the URI constructed doesn't lead anywhere I think it would be appropriate to return 404.
And if the URI is valid but the data passed (like a json doc) is broken, then you should return 400.
EDIT:
Answering the OP comment: I think the system should return 400 when the syntax and also the meaning of the data are broken.