Some success: I am setting both the scope and the audience; and I updated the auth0-spa-js to record both so they survive between web page loads, and update the new Auth0Client when the page reloads.
The SPA can get an jwt access token, use it, and the service can verify it.