I'm trying a similar thing; I have added accounts.settings to the scopes, however I get an 'unauthorised' response. This is the response I get when sending the auth details to here: POST https://identity.xero.com/connect/token . I am able to access other enpoints, such as timesheets. Any help much appreciated.

  "scope": "openid profile email payroll.employees payroll.timesheets payroll.settings accounting.settings offline_access"