Posting this here in case it helps anyone else:  Once you make the exchange via https://example.my.workfront.com/integrations/oauth2/api/v1/jwt/exchange , you use the access_token to make API calls but instead of putting "Authorization: Bearer XXX" add "SessionID" as the header and the access_token ...

The Proof Approval watch action within Workfront module should work - we use it and it's working just fine. 