The + character when consuming a REST API with the "form-urlencoded" content type is not encoded properly. It has to be replaced in the OnBeforeRequest with "%2B".
This is an older issue but still relevant: https://www.outsystems.com/forums/discussion/53348/sharepoint-postoauth-error-invalid-client-secret-is-provided/.
It would be nice if the OnBeforeRequest would not be necessary.