I get what you’re saying, still the access token will work only for reading rewards, so no worries.
Another solution could be providing the broadcaster the link to the oAuth screen and using the form layout, the one used in the previous solution, to let the broadcaster input the whole redirect URL managing then the access token request with a simple function. No?
Probably this is the solidest “serverless” solution yet.