This is the wrong kind of token.
You need a User Access Token.
Client Credentials doesn’t represent the user.
You have the right scope but the wrong token type.
This is correct.
You need a “webpage” to get a token.
Then when you have that token you can feed it to an app that does stuff as needed. And refresh the token as needed using the refresh token.
If you need to do anything that involves protected user data, such as sub points, then you need a user token and NOT a client_credentials token.
client_credentials only works for public data (some exceptions)
The alternative is to use implict auth, but then the token will die after 60 days and you need to manually feed it a new token.
Generally for “browser source” type things, the browser source connects to an extenral service, and that serice handles the data handleing and token schnanigans