Getting /userinfo from frontend works, but not from backend

I use lock to authenticate on my angular frontend without any problems:

  lock = new Auth0Lock(AUTH_CONFIG.clientID, AUTH_CONFIG.domain, {
    oidcConformant: true,
    autoclose: true,
    socialButtonStyle: 'small',
    rememberLastLogin: true,

    auth: {
      redirectUrl: AUTH_CONFIG.callbackURL,
      responseType: 'token id_token',
      audience: `https://${AUTH_CONFIG.domain}/userinfo`,
      params: {
          prompt: 'select_account',
      },
    },
  });

Getting userinfo works too:

    this.lock.getUserInfo(authResult.accessToken, (err, profile) => {
      localStorage.setItem('profile', JSON.stringify(profile));
      this.router.navigate('/']);
      console.log(profile);
    });

However on my nodejs backend I get an Unauthorized 401 message when trying to access /userinfo using the same access token :

app.post("/claimAccount", checkJwt, function(req,res){
    var bodyStr = '';
    req.on("data",function(chunk){
        bodyStr += chunk.toString();
    });
    req.on("end",function(){
	try {
		const data = JSON.parse(bodyStr);
   		console.log(req.user);
        console.log(req.headers.authorization);

        var headers = {
            'authorization': req.headers.authorization,
            'content-type': 'application/json'
        };

        var options = {
            url: 'https://etherauth.eu.auth0.com/userinfo',
            headers: headers
        };

        function callback(error, response, body) {
            console.log("statuscode : " +  response.statusCode);
            if (!error && response.statusCode == 200) {
                console.log("ui succ: "+body);
            }
        }
        request(options, callback);
 });

req.user consists of the following:

{ iss: 'https://etherauth.eu.auth0.com/',
  sub: 'facebook|10154740758691918',
  aud: '2eY_5Pf9DxJx1R1CqvJsYPHbwGfbCLDz',
  exp: 1504739649,
  iat: 1504703649,
  nonce: 'saMorzyuLIE7GkyS3FA9SK-_lOfoONSk',
  at_hash: 'zivjSUNooWq38kemfFfQhw' }

I cannot just send the userinfo to the backend since there should be no way of spoofing it.

Maybe this is related: How come req.aud equals my ClientID on the backend API call, when I have audience: https://${AUTH_CONFIG.domain}/userinfo, in the lock constructor in the frontend?