If you move to variable length access token and authorization codes how do we test to verify that our application can handle these?
Only opaque tokens are affected by this change.
When the fixed width is turned off then only JWTs should be issued and those will vary in length depending on their attributes.
You can issue tokens with a different number of scopes which will result in different length tokens.
With authorization codes, there is no reliable way to produce a different length authorization code. You would need to run repeated tests where you check the length of each code until there is one with a different length and confirm there are no errors.