Hi there @andynbruce welcome to the community!
Everything looks good here except the audience param in your request to /oauth/token needs to be https://your_domain/api/v2/, the identifier of your tenants Management API. If you navigate to the API itself in your tenant dashboard Applications → API → Management API you should see a “Test” tab. This will allow you to choose an application with permission to test this flow. You should be able to extract the token from this page and use it against your Management API. If you copy the token and inspect it at jwt.io you’ll see that it has the correct audience.
Here’s what the “Test” page looks like:
Hope this helps!