It means you have used a wrong {code} in your request. It must be the code you got after the user has authorized the app.

Hi Jan,
 

I made a little bit of progress however a few things are still unclear to me.

The OAuth returns a code to my redirect URI which I can then use to get an access token for the user.
I believe I should now be able to get the users activities using this access token.

e.g. 
https://www.strava.com/api/v3/athlete/activities?access_token={access_token}

However this at best seems to be returning some basic athlete details, name, gender etc. and not activities array.

Another thing I am unclear about, should this app be installed on another persons phone will the Client ID and Client Secret which I have on My API Application portal be allowed to get a CODE, and ACCESS_TOKEN for other users?

If you want to get activities you have to request that in the scope parameter of the authorize endpoint and the user has to accept that. That means “scope” must contain “activity:read_all” or “activity:read”

You have to get raised the limit for the number of connected athletes first. See https://developers.strava.com/docs/rate-limits/ in the section for “Athlete Capacity”