Hey there @nicktb!
Do you mind sharing a har file for a user logging in through you React app?
You may also want to look into adding authorizationParams to your Auth0Provider - The audience might not be included in the authorize call constructed by the React SDK. It might look like:
<Auth0Provider
domain="your_domain.us.auth0.com"
clientId="client_id"
authorizationParams={{
redirect_uri: window.location.origin,
audience: "https://test-api-endpoint",
scope: "openid profile"
}}
>
<App />
</Auth0Provider>
Keep us posted!