You loaded /authorize in a browser
You loaded /token in command line curl
If it’s firewall then a browser “looks legimate due to all the user data” where command line curl looks suspciious as it’s command line.
And both calls are very different operations
It could be “firewall” type stuff. When things like this happen it doesn’t make sense.
Could also be that something is middlemaning your connectiong and getting confused over the non URL encoded redirect_uri