I finally got the ROPC flow to work after following the same doc as referenced above, having battled with that unhelpful 400 Bad Request for far too long.
In the Registered App I created, I had to enable "Accounts in any identity provider or organization". I could not edit an existing app into this state by editing the manifest, despite what the screenshot below suggests, I had to create the app that way.
oauth2AllowImplicitFlow has to be true as well of course.
BTW: after making changes to my registered app, I had to wait 5 - 10 mins for those changes to fully propagate.