The Authorization Server issues an Authorization Code, which is exchanged for an access and refresh token before returning control to the Client.
I was under the impression the browser returns control to the client with the authorization code, and then the client uses the authorization code with the /token endpoint directly.
On the last bullet point in A.2:
I was under the impression the browser returns control to the client with the authorization code, and then the client uses the authorization code with the /token endpoint directly.