For our use case, we have an Auth0 rule that ensures the user exists in our database (so creates the user if the user doesn’t exist) that way we don’t have to worry about missing users and such.
We also don’t have restrictions on which client they can access (from the Auth0 side). If they load up a dashboard they don’t have access to the access_token is still issued by Auth0 but the API rejects calls to any endpoints.
This may or may not be acceptable for your system, it really depends on your business requirements.