The API authorization functionality which you’re trying to use implies the use of OpenID Connect (OIDC) compliant endpoints. These endpoints will strictly follow the OIDC specification and differ from previously available endpoints that were already available even before the final version of said specification.
In order to not impose breaking changes on developers that were already using the available endpoints, for now, you need to explicitly state that you want to make use of OIDC conformant endpoints and as a side-effect be eligible to rely on API authorization features.
For Lock Android you should use a configuration similar to the following in order to achieve what you need:
Auth0 auth0 = new Auth0("[client_id]", "[auth0_account_domain]");
lock = Lock.newBuilder(auth0, callback)
The above will mean that you will now obtain a JWT access token that your API can validate and accepts as means for authorizing the requests.