For anyone else who ends up here - it appears that Rules are not run for Client Credentials Flow (used by M2M applications hitting the /oauth/token endpoint). According to an Auth0 support personnel:
Actually Client Credentials grant requests do not trigger Auth0 Rules pipeline because they are not considered user logins. They should be used only for Machine-to-Machine API calls.
In order to modify the Access Token scopes or add your own custom claims you can utilize the Client Credentials Exchange Hook: Customize Tokens Using Hooks with Client Credentials Flow
Using Hooks resolved the problem for me, hopefully it helps others out as well.