The log event type feacft is associated with a failed exchange, in particular, a failure in exchanging an authorization code for a token.
The authentication flow you described suggest that the authorization code grant with PKCE (given its a native application) is being used in order to authenticate the user so this is consistent with the log event.
The most likely cause for receiving an feact (Unauthorized) for this scenario is due to an incorrectly configured client application. More specifically, the Client Type for the application should be Native.
The underlying issue is that Native applications can call the token endpoint without performing client authentication and if the client is incorrectly configured in a way that it’s requiring client authentication then the error in question will be triggered because your native client application won’t be performing client authentication.
Fixing the client type should address this situation; if not, try to setup a new client application with the native type from scratch and use that one.