We are embedding a private Qlik Cloud sheet inside a React app and want backend-issued OAuth impersonation tokens so users are not redirected to Qlik login.

Tenant:
https://3sndgsisxteabed.in.qlikcloud.com

We created an OAuth Web client with M2M user impersonation.
Before publish, consent method shows trusted.
After publish, it changes to required.

Then backend POST /oauth/token with grant_type=urn:qlik:oauth:user-impersonation fails with:
oauth client is not approved with trusted consent method

Is trusted consent supported for published impersonation clients on Qlik Cloud?
Why does publish change it back to required?
Is there any supported no-redirect embed approach for this tenant if impersonation is blocked?