This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)
PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post