Requests for token endpoint generated by OpenIddict client differ from those created by Postman. For instance, OpenIddict client includes Accept-Charset: utf-8 header.
In some cases, that particular header might cause the problem. WAF in front of certain identity providers might not expect it, which leads to forbidden requests.
One way to fix it, is to configure OpenIddict client to skip that particular header:
options
.AddEventHandler<OpenIddictClientEvents.PrepareTokenRequestContext>(builder =>
builder.UseInlineHandler(context => {
HttpRequestMessage? r = context.Transaction.GetHttpRequestMessage();
r?.Headers.Remove("Accept-Charset");
return default;
}));