How to validate user role or permissions from my API

When using Authorization Code Flow for my application to access my API, i can’t find a good way to access user roles or permissions.
The access token includes scope and permission, but this is the permission my app is granted. I don’t get any information about the user permission.

I can View User Permissions via the management API, by passing the user id. Hence then my idea was to pass the user ID to my API and then have the API to check the role of the user.
But this way I would expect a random user could get an access token from my app, and then if they can find the user ID of an admin, manually pass that id to my API, and then gain access to the API with a different role.
Is this correctly understood, or what has I missed here?
What is the right way to do this?
My sample code can be found at github:
GitHub - martinbjerge/auth0_simple_api: Example of how to setup a simple API and protect it with AUTH0 and how to access it.