Invalid token even with the authentication process going as planned

So I have no idea where I’m failing, but I do remember V5 making this a lot simpler.

I’ve registered an app. I’ve copied the client id, and I send the user (me) to the following URL:
https://id.twitch.tv/oauth2/authorize?client_id=cid&redirect_uri=http://localhost:8080/oauth&response_type=code&scope=user:read:follows

The user/me successfully logs in, and is redirecetd to my localhost page:

http://localhost:8080/oauth?code=TOKEN&scope=user%3Aread%3Afollows

I copy paste the thing into cURL (just to avoid any client side coding erorrs).

curl --location --request GET 'https://api.twitch.tv/helix/following' \

--header 'Authorization: Bearer TOKEN' \

--header 'Client-Id: cid'

Both the client ID and the token are mocked in the question, but not in the query, for clarity. I’ve generated hundreds of token since, and I’m slowly losing my mind, since SOME token is getting generated, but apparently a non existing one. I’ve read through a bunch of questions on here, and they all seemed to just be doing something wrong, and never even got the token, or failed at some point when it came to scopes. I’ve double checked, and I am not seeing any issue with my client id, my redirect, or my scopes. But I am not getting the correct token at all.

You did exchange the ?code for a token?

The ?code is not a token you have to exchange it first

See step 3

3) On your server, get an access token by making this request:

POST https://id.twitch.tv/oauth2/token
    ?client_id=<your client ID>
    &client_secret=<your client secret>
    &code=<authorization code received above>
    &grant_type=authorization_code
    &redirect_uri=<your registered redirect URI>

Yep, should be using token. I have no idea where I got code from. Thanks.