Well, I finally figured it out. Not sure if I misread the documentation or if there are missing links, but anyway.
Fact is that when you sign a APK and then ask Google for a OAuth2 token, you have to register your signed app through the dev console. It’s a security measure based on the app package name and the sha1 fingerprint.
To do that, you have to :
- sign your APK, manually or through Gradle or whatever: the Android documentation is pretty clear on this step;
- get your sha1 fingerprint; as mention in this SO answer, it’s kind of easy on Android Studio: in the Gradle panel, select the
signingReport
task under your root project and run it – the SHA1 fingerprint will show in the text output; - register your APK through the Google dev console: create a new Credentials / OAuth client id / Android, defined by the SHA1 fingerprint you got and your APK package name.
And voila!
For information, the only official documentation I found explaining the why and how of the two final steps is here:
https://developers.google.com/drive/android/auth