OAuth via Keycloak and OAuth2-Proxy

I have 2 prometheuses, both are with forward-auth via the oauth2-proxy, which have the same client credentials in a single keycloak.
I would like one prometheus to federate the other one. This is my config snippet for authentication in prometheus.yml

      client_id: "oauth-proxy"
      token_url: "https://keycloak.mydomain.tld/realms/master/protocol/openid-connect/token"

I am not even sure if they should use the oauth-proxy client ID, or a distinct one, but i guess that doesn’t really matter.

As you can maybe see i am using the new quarkus-based keycloak, which has a slightly different UI as the old wildfly-based keycloak.

At first, i got an error that the keycloak client isn’t allowed to use service account tokens. I fixed that by enabling the “Service accounts roles” setting in the client. Now apparently the scraping prometheus is able to get the token from keycloak, but the target still shows as “401 unauthorized”. What am i missing here?