Hey there and welcome @bpkennedy !
One thing that you can check is if you include the audience parameter in your /authorize request.
audience parameter takes a value of the API identifier you have set in your Auth0 tenant, that you request access to (this way you should get the jwt token instead of an opaque token).
Also, just in case you missed it - the app registered in Auth0 that is calling the API resources should be allowed for this API (for the API in question, please go to the Machine to Machine Applications tab and toggle the Authorized button for the app in question).
Hope this helps - let us know!