The ClientID has to be that of which the oAuth token was generated with.
If you are using an App Access token, then the user visits your website, the front end tells the backend what to do and the backend runs with the existing access token.
I’m not sure who the someone else is in this scenario
No i’ts not a header, it’s a query string argument.