In case anyone else is encountering this issue, the /token endpoint is returning a 403 because a CSRF check is failing. When a cookie is present in your request, Okta will assume it is coming from a browser and perform a CSRF check. In order to resolve this, ensure you are NOT including the ‘sid’ cookie with your request to /token.
If you encounter this issue in Postman, you can resolve it by clearing your cookies there.