This leaks your Auth0 client secret to anyone using the extension…
The remote server has set a header which disallows the access-control-allow-origin header being used in calls made to it.
This isn’t a “Twitch/Extension Configuration” problem.
It’s Auth0 blocking this request as it includes a disallowed header, in this case access-control-allow-origin is the conflicting header.
This is likely done to prevent you trying to generate a client_credentials token and leaking your client secret to the world