groups as scopes will only automatically add that information (if available at the user level) to the issued ID token (never to the access token) and only when the request is performed using a legacy authentication pipeline. If you’re performing a request that returns an access token valid for your own API then you’re not using the legacy pipeline.
The non-legacy pipeline strictly follows the OpenID Connect specification and does not include (not even for the ID token) the non-standard information about roles and groups as these are not standard claims defined by the spec.
If you want to include custom information in the issued tokens (either ID token or access token) then you should check the reference documentation on how to add custom claims.
Basically, create a rule that runs after the rule that the authorization extension created and set custom claims in the issued tokens based on the information at the user object (placed by the extension rule); for example,
context.accessToken"https://myapp.example.com/roles"] = user.roles.