First off, if you are using OAuth for Okta, you need to use the Org authorization server when requesting tokens to send back to Okta, e.g. https://org.okta.com/.well-known/openid-configuration. Confusingly, this is different from the one we call “Default,” so make sure you’re using the right one! At this time, custom authorization servers (like Default) are incompatible with OAuth for Okta and Access Tokens issued by these servers cannot be used against Okta’s own management endpoints.
Second, when you do use the Org server, what scopes are you requesting?