Maybe this answer will come to late, however I am currently on something similar.

When you want to utilize the BFF pattern. You are mostly on the right track. But you have to use the same client in keycloak for the frontend and backend and make it confidential and have the client secrets in the backend.

Making the client confidential does not mean it wont be reachable without the secrets. Only the token endpoints of the client for this example are not reachable without the clients secrets. (Resulting in a 401 without the secrets)

So the user still can authenticate itself against the client which then passes the authentication codes to your BFF which then exchanges them with the client secrets for tokens on the token endpoint.