Hi @mr.Nigel,
You are going to be limited in what scopes you can get for the management API from a SPA and that will not include the required scopes for the call you are trying to make. This is because a malicious party can easily inspect the management API token and proceed to use it against your entire user store. I am not positive if this is related to the error you are receiving, but will block for your own security regardless.
More on that here:
http://community.auth0.com/t/how-do-i-use-the-management-api-in-my-single-page-application/24448/2
A potential workaround would be to add the roles to the token via a custom claim (this will actually save you an external call if you are simply trying to find out what roles a user has):
Or you could call the management api from your backend.
Hope this helps!
Thanks,
Dan