The problem is that you are trying to mix an OAuth 2.0 scope ("https://mail.google.com/") with a ClientLogin scope ("ah") and I do not think this is supported.
When you want a token with many permission levels, you concatenate them with a space delimiter as you say. For OAuth 2 scopes it is done like this: oauth2:{space separated list of scopes}
.
When you provide the scope oauth2:https://mail.google.com/ ah
it is assumed that both scopes are OAuth 2 scopes. But since "ah" isn't a valid OAuth 2 scope the Google servers won't accept it and instead gives you the error you see.
I'm not aware of any OAuth 2 scope for the App Engine and two older questions here on Stackoverflow from 2011 and 2012 suggests that it doesn't support OAuth 2 yet.