Hi there @s.kurihara welcome to the community!
I think your first bulleted idea is the best way to go about this - Add the necessary metadata as a custom claim in the access token. Once your backend/API verifies the token, you can perform any business logic based on the metadata available in the custom claim. I’d avoid using the Management API if possible due to the requirement to make an extra call to Auth0, rate limits, etc.
Hope this helps to clarify!