What's the right http status of locked user due to brute force attack?

I'm a teapot

If you determine that your application is under attack, you could return 418 (I'm a teapot) and use a "short and stout" message in the response payload.

Unauthorized and forbidden

For HTTP authentication (stateless and sending the credentials in the Authorization header) use 401 (Unauthorized) to indicate that the credentials have been refused for that request.

Assuming that the credentials are valid but the user account is locked (or in any other condition that prevents the server from accepting the request), you could use 403 (Forbidden) and a descriptive message in the payload. Quote from the RFC 7235:

A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code.