Thanks for confirming!
It looks like the token shared is from a different authorized app - The sub claim should be the client_id of your brokerx-secure application. Basically, it looks like you just need to use the brokerx-secure credentials to get an access token as opposed to the application with a client_id beginning in WidyZzQpW....