FYI @pmusaraj / @angus in case you have ideas.
My guess here is … they started requiring a scope in the OAuth payload for security reasons.