Hopefully this will help others, what was happening is that even though the audience was set in Postman it wasn’t actually sending it in the request so what was coming back was a JWE, not a JWT (similar to Auth0 access token is missing the JWS payload)
The audience had been set in Postman but it doesn’t seem to actually send it so I had to include the audience in the query string e.g. https://{TENANT}auth0.com/authorize?audience=https://{MYAPI}, there’s more info on the Postman issue here:
Feature Request: specify audience when getting OAUTH2 token · Issue #2934 · postmanlabs/postman-app-support · GitHub