For it was all about getting the scope value set properly to send to the downstream API then setting the authority (issuer) and audience set properly on the API itself.

The .default scope is only for making requests using the Downstream API as the App. If you're requesting on behalf of the user you need to define a scope in your Azure AD B2C app registration then include the scope Uri in your "SecureApi" configuration. This allows the TokenAcquision object used by the Downstream API to request a token from Azure AD B2C.

Usually the scope takes for the form of https://azb2cdomain.onmicrosoft.com.onmicrosoft.com/clientid/scopename but can be copied when the scope is defined in the Azure AD B2C portal (App Registration => Expose an API => Add a Scope. It doesn't appear to matter much what you name the scope. All that seems to matter is setting the Uri correctly.

On the API side, Authority is https://adb2cdomain.b2clogin.com/6b31fe92-c55e-4b85-b48e-980f96f1ce58/v2.0/ and the audience is the client id Guid by itself of the app registration you're using.

Apologies for not having links to relevant sites but most of what I've tried has been trial and error.