I ended up going the implicit auth route, and now I have access to the stats I wanted! I am doing it in a bit hamfisted way – my redirect URI is just a landing page so I can grab the bearer token right from the address bar, and I manually feed it into my PHP code.
I do have a website set up with SSL, but I wouldn’t know where to start securely storing tokens and the like on the webserver. Is it a big issue if I’m just running my API lookups off of XAMPP from localhost?