This issue stems from not having the specific CA in a CA bundle available for the cURL library (Or OpenSSL, though OpenSSL usually has this). You can grab any CA Bundle and apply it with:
// Replace the path here with the actual path for your CS bundle
$CABundlePemPath = realpath(__DIR__ . '/../cabundle.pem')
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, $CABundlePemPath);
The CA Bundle I use (Extracted from the FireFox browser source) is located here.
Now note that, while the solution you have here does work, it also means your server will not verify that api.twitch.tv is actually api.twitch.tv, meaning anyone can generate a cert and sit between you and the actual API and fake being the Twitch API to harvest tokens. I would recommend always verifying the peer as a safety measure for your OAuth tokens.