But as I understand from the documentation, the access token given by auth0-spa-js does can not have the required scopes to call most of the Management API endpoints (read:users for example).
Yes, that’s correct. Scopes are limited in that regard.
Full scopes are only granted via M2M (Machine to Machine), which should be done from a secure application such as your backend.
The backend for the application is a Spring Boot API, should I generate the token there and use that in the SPA?
No, don’t pass the Management API access token to the SPA. Instead, proxy the search request from the SPA through your backend.
Your backend communicates via M2M / Client Credentials Exchange with the Auth0 Management API.
Your SPA communicates via your backend. So, create a search endpoint on your backend, take the query, and make the query call to the Auth0 Mgmt API. Then your backend passes on the response to your SPA.