For whatever reason it looks like you can’t do a normal shared secret client_credentials exchange with the organization token endpoint. Also the public/private key management stuff they mention in the following docs is hidden behind a Early Access toggle (Admin Dashboard → Settings → Features → Early Access → OAuth2 Secrets and Keys Management).