Answer:
There was a discussion about this on a bug reported on Google’s Issue Tracker – this has become disallowed due to security concerns. There is, therefore, no current way to use an Apps Script Web App as a JavaScript origin at all.
More Information:
The bug report in question:
An investigation was conducted as there was seemingly no public information about the change. On March 31st 2021, a Googler eventually responded, explaining the reason for the change and closed the issue as intended behaviour:
Current policies for use of OAuth 2.0 require apps to use secure JavaScript origins and redirects on domains that you own. While the use of certain shared domains is allowed (e.g. Firebase apps running on *.web.app), the use of
*.googleusercontent.com
as OAuth origins or redirect URIs is blocked in order to ensure the security and privacy of user accounts.Documentation has been updated at Redirect URI validation rules and JavaScript origin validation rules has been updated in order to reflect this:
Host domains cannot be “googleusercontent.com”.