Definitely possible, here's how I would suggest doing it.
Have an reverse proxy that sits between your application and the external clients. This reverse proxy would authenticate the token and the set required privileges in the request header.
Elevating privileges for internal clients can be done by following approaches
Set an authenticate header in the requests on the reverse proxy. IF this header is set to true, it signals that the call is from an external client. The app can decide if needs to authorize based on this header. Internal clients can call this service without having to go through any authentication/authorization. Note that this would complete eliminate any auth for internal clients.
Have rules on the RP that can set additional headers containing elevated privileges based on the IP of callers. Internal clients IP can be made into a list for which this applies.
Have two endpoints for internal and external clients with revers proxies on both of them. The internal would set elevated privileges in the request headers.