Many thanks @pvarner.
This worked for me.
For anyone’s reference I used this code to refresh the token, which included the updated roles/permissions:
renewToken() {
this.auth0Client$.subscribe((client: Auth0Client) => {
client.getTokenSilently({ audience: config.audience, scope: config.domain, ignoreCache: true });
});
}