Please see my comment in this thread, it’s very similar:
But when I try to get the access token with “read:users” scope using a username/password and client id/secret from the Web App
Can you specify which grant type (Authorization Code Grant, Resource Owner Password Grant, etc.) you’re using?
If you’re not using Client Credentials Grant (M2M) but requesting it on behalf of a user, which I assume, the scopes you can request are limited, as per my linked thread above.