Hi @Kejven,
Welcome to the Auth0 Community and thank you for your post.
You approach of creating a M2M application in the right approach in this case. A Management API Access Token for SPAs can be obtained as well, but since SPAs are public clients and cannot securely store sensitive information (such as a Client Secret ), the only scopes included within the Management API in this case are related to the logged in user profile, so it does not contain the delete:users permission.
A M2M application can securely consume the Management API since the API is hosted on the server, so the client secret can be stored safely. You can then create a website that simply asks for email confirmation, that calls the DELETE /api/v2/users/{id} endpoint. You can also check out more on this community post.
I hope this helps your case, but others as well.
Thanks,
Remus