So your API/resource server and your front-end is configured to use the Default Authorization Server? And, yes, if you are referring to our okta-oidc-android library, you should make sure the discoveryUri includes /default in the path. Your mileage may vary with other libraries/SDKs, so double check the applicable reference doc to be sure you’re setting it as needed.
I’d be curious if you can find out if a manually generated token can be successfully used to access your API, because that at would likely point to a config issue on the native application.
The authorize call is usually handled through browser redirects, and that’s usually why one has trouble with it in Postman/curl. If you’re testing getting a token in Postman, you may want to check out this article that tells you how to find the authorization_code/token returned when you use the responseMode form_post.