A couple tips to ensure that you are sending the correct parameters, as I don’t have a full insight into your authentication flow:
Ensure that you use the same client for the browser flow and the server (cURL) flow
Make sure that you use the code quickly. Codes have an expiration time, so if you do an authentication, go for lunch, and then come back, it’s most likely going to be expired
Authorization codes are only valid once. If the Quickstart is already doing a code exchange (it most likely is), you will not be able to reuse this code. You can know if the Quickstart already exchanges the code if it’s showing you the user profile for the user that authenticated - it’s not possible to get that just from a code
Hopefully this helps - let me know if any of these ended up being the issue!