You are almost right. You indeed need to authorize your app to access domain's Drive. To do this you have to associate the scopes you chose with the service account id that you can find in your API console. This association is made in the administrative panel of your domain, of whoch you posted a screenshot.
I think you got that, but dont forget to use the service account email in your Oauth2 request.
FYI, if you dont specify prn , you access your application's drive, which cant be accessed via the Web UI