Scoping OAuth client to specific divisions for multi-tenant BPO access

Could someone explain how to restrict an OAuth client to specific divisions for multi-tenant BPO access? I am trying to limit API access per client division. Here is the payload I am sending to /api/v2/oauth/clients:

{
 "name": "BPO Client A",
 "clientId": "abc123",
 "scopes": ["organization:read"],
 "division": { "id": "div-123" }
}

The token grants full org access. How do I enforce division isolation?

Division isolation requires setting division on the client and using division:id:{id} in scopes. The organization:read scope bypasses division filters. Use this payload:

{
 "name": "BPO Client A",
 "division": { "id": "div-123" },
 "scopes": ["routing:queue:read", "conversation:participant:all"]
}

Verify via GET /api/v2/oauth/clients/{id}.