just to clarify for others that may be viewing this post - if you get an Access Token for the Management API using an authorization flow with your custom domain, then the Management API must be called using the custom domain.
So to elaborate, we obtain the access token using the custom domain /oauth/token endpoint, but we use the Auth0 domain as the audience since the API Identifier of the Management API will still use the default Auth0 domain. And then when we call the Management API, we use our custom domain.
For example:
POST https://mycustomdomain.com/oauth/token
... // other parameters
...
audience:https://defaulttenant.auth0.com/api/v2/
and then
GET https://mycustomdomain.com/api/v2/clients
Headers:
Authorization: Bearer <access_token>