The `OAuth2AccessToken.scopes` should only include the authorized or requested scopes (subset of authorized). See [comment](https://github.com/spring-projects-experimental/spring-authorization-server/issues/199#issuecomment-776805577)
