This sounds like you are doing the requests in the front end, this is bad, hence it’s been blocked.
Doing it this way allows you to fetch and leak an access token aka a password (for want of a better description), and as or right now you are leaking your client_secret to the world, which is bad and against the Dev TOS
Your react front end needs to call your react back end and the react back end does the requests to Twitch and handles the secrets securely