In case you haven’t figured this out yet, I definitely think you were on the right track with this. In order for the API to validate the access token you pass to it, you’ll need to include an audience param in your call to webAuth:
auth0.webAuth
.authorize({
audience: 'https://api.yoursite.com', // Replace with your API's audience value (identifier)
scope: 'openid profile email'
})