If you redirect the user to your own page, you are taking responsibility for ensuring that they are the proper user. Unless there is a VERY good reason to do this, you should use Auth0’s built in flow for changing the password.
Your application can access the Management API with a client credentials token. This token is NOT tied to the user changing their password. Again, you are taking that responsibility on if you do this.