Google Service Account Authentication to IAP-protected API

I am trying to Authorize a Google Service Account from my REST API resource to an IAP-protected API.

I already provided the Service Account Key from GCP and provided OAuth Scopes of https://www.googleapis.com/auth/cloud-platform based on the documentation here OAuth 2.0 Scopes for Google APIs  |  Authorization  |  Google for Developers

image

I'm currently getting this error when using the REST API. Could it probably that the token generated by retool is not a OIDC token which is expected by IAP.
image

Do I also need to provide headers when using Google Service Account? Like is there a specific magic string for it? For OAuth 2.0 flow I'm using Bearer OAUTH2_ID_TOKEN

image

Note: OAuth 2.0 workflow works fine but I want to use the Service account so that users don't have to authorize retool every time they access the application.

Thanks!