With out a backend you are making this super complicated.
Aside from the issues you have identified on what the redirectURI would be, and where/how to store the access/refresh tokens. You have no way to perform the requests needed to update the information that is stored behind the scoped keys.
The Viewer front end sure can load the leaderboard from say the config service, (can’t call Twitch API directly as that would leak credentials).
But there is no way you can automate updating of that leaderboard, without the streamer going to your config or dashboard pages (which are not open by default) to load the code and perform the update of the data (whether that’s is automatically on load or by button press it doesn’t matter).
It also won’t account well for the streamer using multiple computers. Oh you authed on your laptop when setting up the extension, well now you have to auth again on your streaming PC, (which may also invalidate the first auth on the laptop), for example.
This is a very impractical way to do this. A backend service is the preferred route for handing sensitive data and the creation thereof (access token/refresh token), and the updating of the leaderboard data you wish to collect and display