You have a couple of things wrong here. First the default server is used to issue access tokens for your own API, not the Okta management API. To get a management API token, drop the “/default” and use the org authorization server. This has to be for an application requesting the access token, so make sure the application has okta.groups.read granted under “Okta API Scopes” and you request that scope for the token.
Look for the documentation on authorization servers and read about the org server here: Authorization servers | Okta Developer. Information on the roles request in the groups API isn’t in the documentation linked from the developer website, but it is here: Role Assignments.