I finally got this working, NOT using the single sign-on suggestion previously mentioned.

a) The application needs to be Single Tenant to properly use CIAM with external providers such as google. This was the final fix. Because I was multi-tenant most of my implementation, I could never get a v2 access token for google auth until this is changed. Once it's changed, the rest "works".

b) When Logging in, use the scopes of:

"openid", "profile", "offline_access"

This will return a v1.0 token, but this is fine.
c) After logging in, request an Access Token using a scope of:

api://<yourappid>/api.Read

or whatever custom API scope you have created. THIS will request a v2.0 JWT access token through CIAM with all the appropriate scopes and claims on it.
d) In the app registration -> token configuration -> email claim for Access Token, and magic. Works as expected.