The problem seems to be that a client has its Client Secret set. If I use this secret in my development environment, everything works. But because this is a PWA, I cannot share the client secret in production.
Even though it is ok to expose the client secret, becauseThe PKCE code_verifier ensures that no interception of the code can occur.
My concern would be a scenario where a bad actor took the now-exposed client_secret and found a way to maliciously construct a non-PKCE flow from my domain.