Hi @mbalicky,
Welcome to the Auth0 Community!
You have the correct approach for working with applications roles for both your Authorization Code and M2M flows.
Using Actions is the recommended and best way to append custom claims to your tokens and shouldn’t have issues with scaling. Additionally, please note that triggering an authentication flow is still subjected to the Rate Limit Policy and Rate Limit Configurations.
Finally, Auth0 does not support multiple audiences. If you need this behavior, you should instead use scopes to represent multiple APIs while using a single audience.
(Reference: Access tokens with multiple audiences - #2 by richard.dowinton)
Hope this helps!
Let me know if you have any questions.
Thanks,
Rueben