It looks like your app in the code Console is set up correctly, thanks for sharing that.
Another engineer on the team noticed that in your Postman request, you are using escaped scopes, i.e. "scope=system%2FObservation.read%20system%2FPatient.read".
What appears to be happening, which I cannot confirm 100%, is that Postman is applying a second layer of HTML escaping on your already escaped values, thereby mutating them to be unrecognizable by the authorization server. I attempted to replay this behavior locally with Postman and got the same error you did, so I'm fairly confident this is the issue, but it does involve some assumptions about what Postman is actually doing behind the scenes.
A solution appears to be not URL-escaping the value you pass in for scopes: "scope=system/Observation.read system/Patient.read". You could also try issuing the authorization request in a different HTTP client if you prefer to pre-escape the value.
Another note: requesting a scope of "offline_access" doesn't make sense for a system access workflow, since there's no user in context to grant offline access to. You may want to omit this scope from your token request (but if you leave it in, it will be ignored by the auth server without manifesting failures).