Thanks! I ended up implementing a token mediation server, kind of followed what ch4mp said... Followed this spec -> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-token-mediating-backend

After doing some research, the BFF makes API calls on behalf of the frontend as well, whereas the Token Mediating Backend does not, allowing for much less maintenance and a centralized approach.