The errors you're getting are due to the auth settings of your app. You can't sign URLs with the access token only (default way your app uses). Thus you can either:

1. Configure app to use IAM Sign Blob API. Prerred way, minimal changes, but there is a quota limits;
2. Configure app to use a mounted private key of the Service Account. More actions, might be less secure.

Please read the guide you attached carefully starting from the Authentication settings section. You will find all the answers here.

When going to Django admin, there's AttributeError

Exception Value:
you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. see https://googleapis.dev/python/google-api-core/latest/auth.html#setting-up-a-service-account for more details.

Your guide says:

If your app handles signed (expiring) urls, then read through the options in the Settings for Signed Urls in the following section