Hi Jenni,
Following is the example for the URI Encoded scopes
"system%2FAppointment.read%20system%2FAppointment.write"
The /token endpoint stopped complaining about empty scopes when I passed the scope as follows:
"system/Appointment.read system/Appointment.write"
Regarding the calls to the "legacy" endpoint, I guess they were made during testing the flow of getting token.