As noted in our documentation, client authentication is required in order to revoke a user’s access or refresh tokens. The format for your client authentication (as you are using PKCE auth) will be different than it would be if you had a client secret, doc’d here.
For any endpoint that specifies client authentication is required, including /revoke, PKCE apps will need to include the client_id in the body of the request instead of supplying a clientId: clientSecret authorization header. See example here.