I just responded to you over here to recommend implicit flow: Do I need the client secret to get access token for backend testing - #2 by andrea
as long as you are sending the sessionToken over in the /authorize call and the user is assigned and there are no other mfa policies that they will run into for the specific application, it should work. Maybe take a look at this article: How to get tokens for an OIDC application without a browser using curl/Postman | Okta Help Center