For OSS Xbox Live, how do I get the STS (JWE) Auth Token scoped to our game?

We registered a Relaying Party Cert in the Partner Center, but I’m unclear how I get JWE tokens that use that cert so we can authenticate calls to our existing services.

We’re currently using the HTTP module to call into our service without any vanity URLs (we use AWS API Gateway.) Would we need to switch to a vanity domain name and have the OS decorate those calls with the token based on the domain name?

What token does the Unreal Online Subsystem for Xbox Live return? Would something like this work?

FOnlineSubsystemModule& oss = FModuleManager::GetModuleChecked<FOnlineSubsystemModule>("OnlineSubsystem");

auto ossLive = oss.GetOnlineSubsystem(FName(TEXT("LIVE")));
auto identityService = ossLive->GetIdentityInterface();

FString token = identityService->GetAuthToken(0);