As far as I can tell, this has not been implemented yet (please correct me if I’m wrong, but in that case please also tell me how to enable it).
It is important to note that the NRF does not authenticate the client correctly (i.e. via mTLS) yet. So anyone with access to the NRF can get OAuth tokens in the name of any network function.