Invalid client scope - Sign in With Apple

I’ve configured a social connection for Apple following the setup guide instructions here:

The instructions leave a lot to be desired, and are also out of date relative to the organization of the Apple developer portal. But, I believe I’ve configured things appropriately.

Despite this, I receive a “invalid request - invalid client scope” error whenever I test the connection. Working with Auth0 dev client id and keys work fine of course.

I’ve confirmed that the callback URL is set appropriately (https://{mydomain}/login/callback). The Auth0 docs are silent on this, but I also specified a scope in Apple portal for the service of “Roster API: User access”.

I’d appreciate any help here. Unclear what my next steps are - no logs showing up in Auth0 as the error is coming from Apple.