400 - Invalid authorization code

And for this is a full example of the code/auth code flow to help

and

        // $i = curl_getinfo($ch);
        curl_close($ch);

        $response = json_decode($r, true);

        if ($response['status'] == 200) {
            $token = json_decode($r);

should be

        $i = curl_getinfo($ch);
        curl_close($ch);

        if ($i['http_code'] == 200) {
            $token = json_decode($r);

There isn’t a status field in the json decoded data