Mike, I'm sorry to hear you're having trouble. I remember first going through this and it felt kinda complicated. Maybe I can help.
First, your statement is correct.
> Issued client tokens only work with the load balanced proxy that issued the token.
That's not true.
Tokens get issued in Apigee Edge by a token-issuing proxy. This is a misnomer because it is not actually "proxying" anything. It's a loopback. But still, the unit of deployment in Edge is "api proxy" so that's what we'll call it. Anyway, inside that proxy there should be a flow with an OAuthV2 policy , and the operation should be GenerateAccessToken. Now there can be various grant types (flavors?) of OAuthV2 - client credentials, password, authorization code, implicit, and some others. You (as policy configurerer person) choose one of those flows. Then when a call into that proxy arrives, the policy executes, and a token is generated.
OK, now for what resource is that token valid?
The GenerateAccessToken operation requires client credentials - a key and secret. Associated to this credential pair in Apigee Edge is the set of API products that the credentials are authorized for. And associated to each API Product is one or more API Proxies.
The token will be good for any of those API Proxies.
Here is a hands-on guided exercise walking you through client_credentials grant_type (a relatively simple one).
You will need to FIRST provision a token-issuing API Proxy in your organization. This is available here. To import and deploy that in your organization, you can use any script or tool that does that - like the Powershell module or apigeetool or pushapi, etc. ... Or, you can do it manually, with a zip and then use the mgmt UI to import and deploy the proxy.
LinkedIn
Twitter
