AFAICR, I modified the files in OpenMRS core locally to get OAuth2 module running. I can send you details as soon as I get a chance (currently travelling).
Load the OAuth2 module first and then the FHIR module. Doing it the other way round messes up with the order spring security filters should be loaded.
The OAuth2 module works with FHIR well. That’s how I last left it. To protect more endpoints via the OAuth2 module, all you have to do is create a security:http for that endpoint, similar to