what should be HTTP status code for credentials Expired error/exception?

As the timestamp is invalid, I think the token is invalid. So the client is not authenticated anymore. So I would throw a 401 Unauthorized. You're free to add extra data of the context as HTTP header with the X- prefix, or to add a response body encoded according to the Accept request header (json, text, etc.). Like:

{
  "error": {
    "status": 401,
    "details": {
      "code": "401.3",
      "description": "The timestamp provided must not be in the future."
    }
  }
}

It is not a 403 Forbidden : 403 means "the client is authenticated but does not have the right to send this request". In your case, I think the client is not authenticated any more.