There have been more elaborate and polished guides since but a while back I knocked up a guide as to how the OAUTH2 process worked with SmartThings for getting a renewable access token.
Might I refer you to that so we can find how your attempt fits in with it?
If you are just trying to replace a PAT it is probably easiest to just get the first access and refresh tokens ‘manually’ in a similar sort of way to I demonstrated and then just have your app refresh the tokens when required. Access tokens are valid for 24 hours but the refresh tokens you require in order to replace them both are valid for thirty days.