According to BOX provider documentation client_id and client_secret parameters should be included in body of the request when obtaining an access token, but in current implementation they are encoded as base64 and included in Authorization header.
https://developer.box.com/reference/post-oauth2-token/

Solution is to override getClientAuthentication method in BoxApi20 class and return RequestBodyAuthenticationScheme.instance() from it.

Also BoxApi20 doesn't sign requests correctly. It should be switched to use BearerSignatureAuthorizationRequestHeaderField signature instead of using BearerSignatureURIQueryParameter. I guess for this, we just need to remove overriden getBearerSignature method from BoxApi20`.

Look at the example of API call
https://developer.box.com/reference/get-metadata-templates-enterprise-securityClassification-6VMVochwUWo-schema/