Just to make sure: you’re not using the username for a key or login on your site, right? We’re switching over to IDs only for API calls, so I just want to make sure you’re storing the ID from the API as well so that it doesn’t break in the future. 
Have you tried doing a single scope and seeing if the root sends back that it is a valid token? It looks like (based on the returned value) you’re requesting two scopes. What does your request URL look like with both scopes?