Per the Apigee docs, the OAuthV2 policy's VerifyAccessToken operation requires you to "hard code" the Scope(s) you want to validate.

"If this element appears in a "VerifyAccessToken" policy, then it is used to specify which scopes the policy should enforce. In this type of policy, the value must be a "hard coded" scope name -- you can't use variables. For example:"

<Scope>A B</Scope>

This is extremely unfortunate because we use shared flows for verifying access tokens across multiple proxies. If we could use a variable in the Scope property, which by the way is supported on GenerateAccessToken operatoins, then you could specify the scope in a shared flow callout property and then reference the property/variable in the OAuthV2 policy on the shared flow.

Are there any plans to support variables in the VerifyAccessToken policy or a way to work around this unfortunate limitation?