The bug was on our end;
When calling POST https://zoom.us/oauth/token (from the docs here)
We were using the wrong redirect_uri value in the request body.
We are now using our front-end web application’s URL when doing in-client OAuth, instead of redirecting to our back-end auth URL (as we do when a user installs from the browser).