Here's a demo that shows how it should work. The assigned user then needs to go into external logins and accept the authorization. We did this because showing the token to the org admin exposes a possible permission escalation.
The assigned user will still need to a member of the org with the correct team permissions, as oauth tokens only work for authn and not authz