Yes, I do have the “Allow Skipping User Consent” enabled for the API.
And yes, I did have a look at this discussion before posting:
The original problem was in Chrome. I’ve tried the same scenario in Chrome Incognito and Firefox Private windows, same exact result.
I also tried getTokenSilently() without the ignoreCache parameter, but that just returns the current token (without the roles/permissions) successfully.