Did you ever get this working? I struggled with this for a bit until I found I had an odd typo in my code. The weird thing was that the typo resulted in a URL that was valid for a regular auth flow, but not a PKCE flow. So it would still return an authorization code that I could redeem for a regular auth flow token if I provided my client ID and secret. Triple check your URL generator for the PKCE flow and make sure you don't have any typos there that could be causing this same issue.