As reported in: https://github.com/cds-hooks/sandbox/issues/65
When launching the CDS Hooks Sandbox via the HSPC Sandbox, the provided OAuth 2 access token lacks the expires_in value. This prevents the CDS Hooks Sandbox from being able to specify it in the fhirAuthorization field of the CDS Service request. Per the CDS Hooks spec, the expires_in field is required.
Here is an example request to the token endpoint that illustrates the issue: