Carlos, thanks for the reply. Sorry, I should have showed the token scopes and auth method.
Honestly, I’d be pretty pissed if that error came out if my token scopes were wrong as there would be no way to determine that was the problem from the error 
This is a 400 which should indicate that the request body is wrong rather than a 403 indicating that I don’t have permissions to modify the resource.
Here’s how I’m initiating the request:
[~]$ curl -iL -X POST https://xxxxx.auth0.com/oauth/token -H 'Content-type: application/json' -d '{"grant_type": "client_credentials", "client_id":"xxxxx", "client_secret":"xxxxx", "audience": "https://xxxxx.auth0.com/api/v2/"}'
HTTP/2 200
date: Tue, 26 Jun 2018 21:26:16 GMT
content-type: application/json
content-length: 978
x-auth0-requestid: fd11d6c27dddd1c63d4d
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
x-ratelimit-reset: 1530048377
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
strict-transport-security: max-age=15724800
x-robots-tag: noindex, nofollow, nosnippet, noarchive
{"access_token":"XXXXXXXXXXJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5EZEROalZHTWtOQ05rTTRPRE0zTmtReVF6VkVRVVExUWpjNFJUTkZNa1pGUWprd1FqUTJNdyJ9.eyJpc3MiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tLyIsInN1YiI6Ik9SSUVDNUtlOXNrdnNoUlhpaFNaN0o4U3NaYWJpQ2FkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tL2FwaS92Mi8iLCJpYXQiOjE1MzAwNDgzNzYsImV4cCI6MTUzMDEzNDc3NiwiYXpwIjoiT1JJRUM1S2U5c2t2c2hSWGloU1o3SjhTc1phYmlDYWQiLCJzY29wZSI6InJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIHVwZGF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.WYCY30F4fshj_4ufFzvsa9MzkUl19sulVD9eScl4QFyo2KF6v4gRZ1jUP8Z_5CzQQga_QAJYKBjy2d7M8s6NTLOfpoB0txLql2J7hOoocC0abVr521L3keoy3QPXm81AKIgEKc12tUn3UdD00u-er43L_87S8miy6e-ElrQrxXyD0wKaZh_CKvCCJziwAvqzvYmrfHElmQYchOoYLkrU1U7HbKqyJZ1WX0T8UMseL3okjkk-peBO0PYok88cLW84jqQjM50Jr9y5iU6WswP2OK9Z3qUfGo1j_sovRiErDjo972JUS6SM3qD8m1mTuNVnROzmhXuIo_DcXXXXXXXXXX","scope":"read:users update:users update:users_app_metadata","expires_in":86400,"token_type":"Bearer"}
[~]$ curl -iL -X PATCH 'https://xxxxx.auth0.com/api/v2/users/auth0|XXXXXca552e65360e5eXXXXX' -H 'Authorization: Bearer XXXXXXXXXXJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5EZEROalZHTWtOQ05rTTRPRE0zTmtReVF6VkVRVVExUWpjNFJUTkZNa1pGUWprd1FqUTJNdyJ9.eyJpc3MiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tLyIsInN1YiI6Ik9SSUVDNUtlOXNrdnNoUlhpaFNaN0o4U3NaYWJpQ2FkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL2NyeXB0b3dhbGsuYXV0aDAuY29tL2FwaS92Mi8iLCJpYXQiOjE1MzAwNDgzNzYsImV4cCI6MTUzMDEzNDc3NiwiYXpwIjoiT1JJRUM1S2U5c2t2c2hSWGloU1o3SjhTc1phYmlDYWQiLCJzY29wZSI6InJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIHVwZGF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.WYCY30F4fshj_4ufFzvsa9MzkUl19sulVD9eScl4QFyo2KF6v4gRZ1jUP8Z_5CzQQga_QAJYKBjy2d7M8s6NTLOfpoB0txLql2J7hOoocC0abVr521L3keoy3QPXm81AKIgEKc12tUn3UdD00u-er43L_87S8miy6e-ElrQrxXyD0wKaZh_CKvCCJziwAvqzvYmrfHElmQYchOoYLkrU1U7HbKqyJZ1WX0T8UMseL3okjkk-peBO0PYok88cLW84jqQjM50Jr9y5iU6WswP2OK9Z3qUfGo1j_sovRiErDjo972JUS6SM3qD8m1mTuNVnROzmhXuIo_DcXXXXXXXXXX' -d '{"app_metadata": { "external_user_id": "245c7631-8f95-4955-bc63-d6bd3c0e28db"}}'
HTTP/2 400
date: Tue, 26 Jun 2018 21:26:36 GMT
content-type: application/json; charset=utf-8
content-length: 370
vary: origin,accept-encoding
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
{"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Additional properties not allowed: {\"app_metadata\": { \"external_user_id\": \"245c7631-8f95-4955-bc63-d6bd3c0e28db\"}} (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in https://auth0.com/docs/api/v2/changes for more details)'.","errorCode":"invalid_body"}
``