Setup SSO-gated access to a SPA + PKCE once booted

I am working on an internal-facing Single Page App that needs to be protected via an Okta-backed SSO proxy using a client secret (already written and used for other internal systems), however once the application loads it needs to do its own call to a custom Okta Authorization Server (via a PKCE flow) to fetch its own access token to call to downstream services.

Is there an easy way to handle these two competing flows with the same Okta Application entity? Or do we need to create two separate application entities to deal with the different flows?