In this use case, the OAuth 2 client is "public" (it is the mobile app). In this case, for security reasons, always use PKCE ("Pixy") in this use-case.
See section 1 in https://tools.ietf.org/html/rfc7636 for further information.
To speed up performance, the Airlock Gateway (WAF) session can be tracked by the Oauth2 Access Token: The Gateway (WAF) session can then "cache" the decision that the Access Token was valid for a certain amount of time.
If doing so, make sure, that the Airlock Gateway (WAF) role (credential) issued by the one-shot endpoint of IAM has low timeout (usually only a few minutes), such that the Gateway (WAF) asks IAM (one-shot) to verify the Access Token from time to time.
Remember that an Access Token does not only become invalid after its expiration time but also if the user retains the consent.