In a SPA + backend API scenario, the token that should be sent to the backend is the Access Token and not the ID token. The ID token is meant as a user identifier and a place to get the user profile info for the SPA only. The backend authorization should be done with the Access Token.
If you are already passing the Access Token but still getting this error, it could be due to the SDK assuming it’s an ID Token. The Auth0 PHP SDK assumes a token is an ID token by default [1]. We need to explicitly tell it that we are validating an Access Token. Eg:
$token = new Token($sdkConfig, $accessToken, Token::TYPE_TOKEN);
The azp check does not happen when an Access Token is decoded this way so you shouldn’t get into the original error.
In case it helps, this document’s got a bit more details on authorizing an API with PHP: Auth0 PHP API SDK Quickstarts: Authorization
[1] auth0-PHP/Token.php at bd785080772275d7769e9d046b188a8364db8fbe · auth0/auth0-PHP · GitHub